SlideShare a Scribd company logo

The Target Breach – Follow The Money

Resilient Systems
Resilient Systems

veryone's heard about the Target breach at the end of last year; some of you may have been affected. One way to understand this breach - to borrow a phrase from Deep Throat talking about the Watergate Scandal in "All The President's Men" - is to follow the money. This webinar will do that. It will detail what we know about the Target breach and how it happened. But it will place particular emphasis on the money trail - not only in terms of how the bad guys turn the data into cash, but also who ends up footing the bill, the role insurance can play, the likelihood of lawsuits, and so on. As such, this webinar represents a powerful opportunity to learn what really goes down as a breach unwinds from a respected professional who has been in the trenches for decades. Our featured speakers for this webinar will be: - Ted Julian, Chief Marketing Officer, Co3 Systems - Mark Rasch, Chief Privacy Officer, SAIC

TechnologyEconomy & FinanceBusiness
1 of 49
Download to read offline
The Target Breach – Follow The Money
Agenda • Introductions • How The Money Flows • The Fraud Cycle: Who wins? Who Loses? • The Target Attack • The Aftermath Page 2
Introductions: Today’s Speakers • Mark D. Rasch, Esq., Chief Privacy Officer, SAIC • Ted Julian, Chief Marketing Officer, Co3 Systems Page 3
The complete process – based on E.R. standards PREPARE Improve Organizational Readiness ASSESS Identify and Evaluate Incidents • • • • • • • • • • Appoint team members Fine-tune response SOPs Escalate from existing systems Run simulations (firedrills / table tops) Assign appropriate team members Evaluate precursors and indicators Correlate threat intelligence Track incidents, maintain logbook Prioritize activities based on criticality Generate assessment summaries MANAGE Contain, Eradicate, and Recover MITIGATE Document Results & Improve Performance • Generate real-time IR plan • Coordinate team response • Choose appropriate containment strategy • Isolate and remediate cause • Instruct evidence gathering and handling • Log evidence • Generate reports for management, auditors, and authorities • Conduct post-mortem • Update SOPs • Track evidence • Evaluate historical performance • Educate the organization Page 4
THE PROCESS
Intro • When a cardholder uses a credit card to purchase merchandise, the transaction moves through a process that involves authorization, clearing and settlement. • Each step of the process involves an exchange of transaction data and money that must be settled and balanced. • This process ends when the cardholder pays for the merchandise listed on his/her monthly statement. Page 6
Dramatis Persona • Cardholder – The consumer who owns the card. • Merchant – An entity that contracts with an Acquiring Processor to originate transactions. • Acquiring Processor – An entity that communicates to Visa to gain approvals to complete cardholder transactions. Processor is an acquiring processor. • Visa - The largest association member. Visa is the largest payment system, enabling 14,000 financial institutions to process over $1 trillion in annual transaction volume. • Issuing Bank – The financial institution who issues the credit card. For example, CapitalOne, Chase, Wells Fargo. Page 7
Other Parties (who can I blame?) • Software vendor – creates and/or maintains general software • CRM vendors and contractors – hired by merchant to maintain Customer Relations Management (CRM) data which feeds into POS terminal • POS Terminal Vendor – supplier of POS terminals, related software, maintenance and support • PCI/DSS-PA/DSS Assessor – assesses and certifies compliance with PCI DSS standards • IT Security Staff/Consultants – conducted pen tests, other assessments • IT Audit (internal/external) • Third party vendors with access to Target network (HVAC) • Don’t forget insurers! Page 8
The Credit Card Transaction Process – Where does the data go? • Step 1 - Authorization Cardholder makes a purchase using a credit card. The merchant must obtain authorization for the purchase from the bank who issued the card. • Step 2 - Clearing If the transaction is approved, the next step is clearing. In this phase, the Issuing Bank obtains basic transaction data from the merchant such as the amount, date and location of the purchase. This data is then sent to the credit card issuer for posting to the monthly credit card statement. • Step 3 - Settlement In the final step, settlement, the funds are collected from the Issuing Bank and transmitted to the merchant. When a consumer uses a credit card, the merchant does not receive payment at the time of purchase. The bank credits the merchant’s bank account. The bank then sends payment to the processor who sends the payment to Visa. The cardholder receives a monthly statement and settles with Visa for purchases made using the credit card. Page 9
The Four Party Model (Debit Card) Purchase goods / services using card payment instrument Cardholder Merchant Transaction Fees Merchant Service Charge Settlement & Payment Services Convenience & payment instrument Card Payment Facility Settlement & Risk Bearing Issuer Acquirer Interchange Fee 2/6/2014 Page 10
THE FRAUD CYCLE
Fraud Flow Issuer issues cc to consumer – not secure because of cost Consumer fails to protect cc because of zero liability Consumer uses cc at Target store Some of the proceeds used to finance new hacks Hacker steal number and sells Hackers post stolen credit cards on multiple “carder” forums around the world. The card numbers are purchased and sold within minutes/hours of their having been stolen The purloined products are sold on online auction sites Mules purchase goods (or services) online or offline Consumer swipes card at POS Carder “mules” use the bogus cards at ATM’s or stores worldwide Page 12 Carders distribute these bogus cards worldwide Carders use machines to create new “bogus” credit cards $
Losers • Issuer – reissue millions of card, call centers 24/7 at Christmas • Consumer – loss of confidence, anxiety, monitoring, inconvenience – possible $50 loss • Target – massive dollar loss, cost of investigation, PCI DSS “fines,” AG investigations, loss of reputation, loss of confidence • Target Stockholders – loss of share price (short and long term) • POS Vendor/Processor – Possible liability (but look at contracts) • Third party merchants – out sales, cardmember “present” vs. cardmember “not present” transactions. • Manufacturers – lost sales because of fraudulent purchases • Insurers – indemnify each of these parties • Web/E-commerce merchants – fraudulent sales • PCI DSS Certification entity Page 13
SEC Disclosure • Target stock price (6 month) • TJX (5 year) • Heartland Payment (5 year) Item 1A. Risk Factors There have been no material changes to the risk factors described in our Annual Report on Form 10-K for the fiscal year ended February 2, 2013. Page 14
Target Class Actions Page 15
SEC Disclosure Page 16
Friendly Letters From Congress Page 17
Trade Organization Response Page 18
Winners • • • • • • • • • • • • Verizon business FBI/USSS Experian Data breach notification companies WalMart or competitors Hackers! Next Gen Payment System vendors Security Vendors/Consultants Forensic investigators Brian Krebs Cyber-insurance sellers Lawyers Page 19
Finger Pointing – Target vs. Issuers • Target – it’s credit card issuer’s fault for having insecure “magstripe” credit cards (to save infrastructure costs). Target tried to push “Chip & PIN” cards but had resistance from banks. Upgrade Target alone to Chip & PIN = $100 million. • Banks – it’s merchant’s fault because of faulty security and trust models – PCI DSS violations. • In 2012 banks bore 63% of fraudulent losses; Merchants 37%* • Bank losses from counterfeit cards; Merchant loses from (CNP) transactions on the Web, at a call center or through mail order. • BUT – goal is NOT to prevent/reduce fraud! Goal is to enhance consumer confidence. * (Source: Nilson Report, August 2013) Page 20
POLL
THE ATTACK
Threat model • Attacker types • Class I: Clever outsiders • Intelligent, but lack information, exploit known attack • Class II: Knowledgeable insiders • Have inside information on protocols/design, can use sophisticated tools • Class III: Funded organizations • Have information, resources, equipment, and incentives • Can employ class II attackers in teams Page 23
Attacker Goals • To get the crypto keys stored in RAM or ROM • To learn the secret crypto algorithm used • To obtain other information stored into the chip (e.g. PINs) • To modify information on the card (e.g. calling card balance) Page 24
Methodology • Obtain access – likely SQL injection • Obtain data – likely RAM scraper (inter-process communications hook) • Aggregate data – create internal shared drive / use vendor hard-coded credentials (BMC) • Store data - create password-protected root access remote file server with additional services • Exfiltration - FTP or other access to remote file share (Cuckoo’s Egg) Page 25
PIN Processing Transaction PIN Flow Diagram … PIN is Decrypted using the Acquirer/Working Key … And then Encrypted by the Issuer Working Key which is shared with the Card Issuer. Card Holder Uses Debit Card (ATM/POS) & Enters PIN PED or Payment Terminal Encrypts the PIN using the PIN Encryption Key already Injected within the device. When PIN is Validated, Final Transaction Occurs. Issuer PIN is Decrypted using the same Key … (And then Encrypted by the Acquirer/Working Key which may be shared with Acquirer/Acquirer VisaNet or other Processor Network.) PIN is Decrypted using the Issuer Key … And then Validates the PIN. Page 26
PIN Weaknesses • 4 digit PIN = 10k+ possible combinations (good) • But > 10% of random PINs = 1234. Expanding a bit, 1234, 0000, and 1111 = 20% • 26.83% of passwords can be cracked using the top 20 combinations. • Birthday years are big. The 1900 PINS--1986, 1960, 1991, and so on--are extremely popular, with PINs from later in the century used the most. • 17.8% = couplets, such as 7878, 8181 • And don’t forget 2580 Page 27
Skimmers • Other ways to get physical attack • Collects, stores and transmits • Magstripe data • Unencrypted PIN data • Easy to install but needs physical access to device • Can transmit data by Bluetooth, TCP/IP or store and dump • New devices look exactly like regular pin pads, card slots Page 28
THE TARGET ATTACK
Target Timeline Hackers break in using credentials from PA HVAC contractor DOJ Contacts Target to inform them of the breach Target meets with DOJ USSS Target notifies payment processors and card brands – begins malware removal More malware removed from 25 disconnected terminals Page 30 Public breach notification Target retains investigators
What We THINK We Know • Attack included POS Malware • "Kaptoxa" ("potatoe" - in russian slang), renamed "DUMP MEMORY GRABBER by Ree[4]" • "BlackPOS"("ree4") has sold more then 40 builds of BlackPOS to cybercriminals from Eastern Europe and other countries, including the owners of underground credit cards shops such as ".rescator", "Track2.name", "Privateservices.biz" and many others. • BlackPOS/Kartoxa versions and mods sold on black market in source code Page 31
Chat Transcript Page 32
Dump Memory Grabber Page 33
Meet the Author Rinat Shabaev Page 34
The Weakest Link • Hackers broke into Target’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems. • Why did HVAC contractor have/need network credentials? • Why was this linked to CRM/Payment database? • What vulnerability let hackers in to Fazio’s computers? Page 35
Timeline • Nov. 15 (Thanksgiving) and Nov. 28 (day before Black Friday), hackers upload RAM scraping software to small number of POS terminals at Target. • Hackers test POS hack to make sure it works. • Nov. 30 – expand to majority of POS devices. • Nov. 30 – collect from live transactions. • Nov. 30 – December 15 – collect and dump – • FTP from Russia? • Dump to hacked computer in Miami • Hacked drop server in Brazil. Page 36
Anatomy of a Carder Network • Multiple Parts – Multiple Actors • Trojan/Malware design • Access/Hack • Malware injection – social network? • Exploitation/harvesting • Acquisition of data and selling of data • Conversion of data to cards/goods/services • Conversion of goods/services to money • Distribution of money Page 37
Curiosities of Target Hack • Obtained PIN – suggest hack at POS • BUT – obtained e-mail addresses – suggest at CRM • Hacked tens of millions – suggest aggregated data • BUT attack profile suggests individual POS attacked • Targeted to Target’s software BUT • Multiple entities compromised Page 38
Breach Aftermath • Breach affected two types of data: • payment card data of 40 million who shopped at Target US Stores from November 27 through December 18 • personal data (name, mailing address, phone number or email address) of 70 million people. • Hacker stole a vendor’s credentials to access Target system • Placed malware on POS terminals. • Designed to capture payment card data from the magnetic strip of credit and debit cards prior to encryption within Target system. • Malware also captured encrypted PIN data. Page 39
Target Responses 1. 2. 3. 4. 5. 6. 7. 8. End-to-end review of security of network. Increased fraud detection for Target REDcard customers. Reissuing new Target credit or debit cards to any customer who requests one. Offering one year of free credit monitoring and identity theft protection to anyone who has ever shopped at our U.S. Target stores. Includes free credit report, daily credit monitoring, identity theft insurance and unlimited access to personalized assistance from fraud resolution agent. Told customers to monitor accounts, and that there is zero liability. Adding PIN and Chip for Target REDcards and POS. $5MM for BBB and National Cyber Security Alliance and the National Cyber-Forensics & Training Alliance to advance public education around cybersecurity and the dangers of consumer scams. Launch a retail industry Cybersecurity and Data Privacy Initiative that will be focused on informing public dialogue and enhancing practices related to cybersecurity, improved payment security and consumer privacy. Page 40
POLL
THE AFTERMATH
It ‘aint over • Neiman Marcus, Michaels, and others • FBI January 17 report: "Recent Cyber Intrusion Events Directed Toward Retail Firms." • "We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it” • "The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cyber crime attractive to a wide range of actors," the FBI said. • Malware was being sold online for over a year for about $2,000 • 1/30 2014 – millions of Yahoo! passwords stolen Page 43
Enforcement Actions • Federal Trade Commission – Section 5 of FTC Act • Enforce privacy policies and challenge data security practices that cause substantial consumer injury • State Attorney General – State Notification Statutes • Connecticut: “Failure to comply . . . shall constitute an unfair trade practice . . .” • Virginia: “The Attorney General may bring an action to address violations.” Moreover, “nothing in this section shall limit an individual from recovering direct economic damages”. • Litigation in federal or state courts Page 44
Litigation Unusual Court Rulings • Ruiz v. Gap, Inc., 540 F. Supp. 2d 1121 (N.D. Cal. 2008). • Laptop computer stolen, which contained approximately 800,000 Gap job applications (including name and social security no.) • Court denied defendant’s motion for summary judgment and held that plaintiff “has alleged injury in fact” to establish standing • “Increased risk of identity theft” constituted sufficient “injury in fact” Page 45
Litigation Unusual Court Rulings • Caudle v. Towers, Perrin, Forster & Crosby, 580 F. Supp. 2d 273 (S.D.N.Y. 2008). • Laptop computer stolen from employer’s pension consultant, which contained personal information (including name and social security no.) • Court granted defendant’s motion for summary judgment and dismissed claims for negligence and breach of fiduciary duty • Court denied motion with respect to claim that plaintiff was third-party beneficiary between defendant and plaintiff’s employer Page 46
Send In the Insurers • Target self-insured for the first $10 million • $15 million of excess coverage with Ace Ltd.; • $15 million layer with American International Group Inc.; • $10 million layer with Bermuda-based Axis Capital Holdings Ltd.; • Another $10 million coverage layer with AIG; • Quota share for the next $40 million of cyber insurance divided among four unidentified insurers. • Executive liability = $10 million self-insured retention; then $25 million in primary D&O coverage with AIG; then $15 million of coverage with Ace; and then $15 million of coverage with the Hartford, Conn.-based based Travelers Cos. Inc. Page 47 Target could be facing losses of up to $420 million
QUESTIONS
“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICE “One of the hottest products at RSA…” NETWORK WORLD – FEBRUARY 2013 One Alewife Center, Suite 450 Cambridge, MA 02140 PHONE 617.206.3900 WWW.CO3SYS.COM “Co3…defines what software packages for privacy look like.” GARTNER “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE Mark D. Rasch, Esq. Mark.D.Rasch@saic.com (301) 547-6925

Recommended

Our way of fighting fraud
Our way of fighting fraudOur way of fighting fraud
Our way of fighting fraudMercury Processing Services International
 
Ibm financial crime management solution 3
Ibm financial crime management solution 3Ibm financial crime management solution 3
Ibm financial crime management solution 3Sunny Fei
 
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersUnderstanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersChristopher Uriarte
 
The DNA of Online Payments Fraud
The DNA of Online Payments FraudThe DNA of Online Payments Fraud
The DNA of Online Payments FraudChristopher Uriarte
 
Chip and Skim: cloning EMV cards with the pre-play attack
Chip and Skim: cloning EMV cards with the pre-play attackChip and Skim: cloning EMV cards with the pre-play attack
Chip and Skim: cloning EMV cards with the pre-play attack- Mark - Fullbright
 
The Path to Payment Security
The Path to Payment SecurityThe Path to Payment Security
The Path to Payment SecurityTom Cooley
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cardsDilip Kumar
 
Introduction to PCI APR 2010
Introduction to PCI APR 2010Introduction to PCI APR 2010
Introduction to PCI APR 2010Donald E. Hester
 

Recommended

Our way of fighting fraud
Our way of fighting fraudOur way of fighting fraud
Our way of fighting fraudMercury Processing Services International
 
Ibm financial crime management solution 3
Ibm financial crime management solution 3Ibm financial crime management solution 3
Ibm financial crime management solution 3Sunny Fei
 
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersUnderstanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersChristopher Uriarte
 
The DNA of Online Payments Fraud
The DNA of Online Payments FraudThe DNA of Online Payments Fraud
The DNA of Online Payments FraudChristopher Uriarte
 
Chip and Skim: cloning EMV cards with the pre-play attack
Chip and Skim: cloning EMV cards with the pre-play attackChip and Skim: cloning EMV cards with the pre-play attack
Chip and Skim: cloning EMV cards with the pre-play attack- Mark - Fullbright
 
The Path to Payment Security
The Path to Payment SecurityThe Path to Payment Security
The Path to Payment SecurityTom Cooley
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cardsDilip Kumar
 
Introduction to PCI APR 2010
Introduction to PCI APR 2010Introduction to PCI APR 2010
Introduction to PCI APR 2010Donald E. Hester
 
Credit Card Fraud Detection System: A Survey
Credit Card Fraud Detection System: A SurveyCredit Card Fraud Detection System: A Survey
Credit Card Fraud Detection System: A SurveyIJMER
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Rapid7
 
Sploitego
SploitegoSploitego
SploitegoLondon School of Cyber Security
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Anil Jain
 
Payments Card Fraud Challenges in Digital and Online Sales
Payments Card Fraud Challenges in Digital and Online SalesPayments Card Fraud Challenges in Digital and Online Sales
Payments Card Fraud Challenges in Digital and Online SalesChristopher Uriarte
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI WonderlandMichele Chubirka
 
eCommerce_Product_Overview_Brochure_-_0816
eCommerce_Product_Overview_Brochure_-_0816eCommerce_Product_Overview_Brochure_-_0816
eCommerce_Product_Overview_Brochure_-_0816Michael Vaillancourt
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
Don't Get Hacked! Know the Risks of Accepting Credit Cards
Don't Get Hacked! Know the Risks of Accepting Credit CardsDon't Get Hacked! Know the Risks of Accepting Credit Cards
Don't Get Hacked! Know the Risks of Accepting Credit CardsBrown Smith Wallace
 
Microdecision Making in Financial Services - Greg Lamp @ PAPIs Connect
Microdecision Making in Financial Services - Greg Lamp @ PAPIs ConnectMicrodecision Making in Financial Services - Greg Lamp @ PAPIs Connect
Microdecision Making in Financial Services - Greg Lamp @ PAPIs ConnectPAPIs.io
 
Information security
Information securityInformation security
Information securityMuhammad kazim
 
Icp Introduction To E Commerce Merchants September2009 Slide Share
Icp Introduction To E Commerce Merchants September2009 Slide ShareIcp Introduction To E Commerce Merchants September2009 Slide Share
Icp Introduction To E Commerce Merchants September2009 Slide Sharemattmullen
 
Be prepared to deal with fraud for web
Be prepared to deal with fraud for webBe prepared to deal with fraud for web
Be prepared to deal with fraud for webKatie Farrow
 
White paper-safe-secure-payments-master card-approach-usa
White paper-safe-secure-payments-master card-approach-usaWhite paper-safe-secure-payments-master card-approach-usa
White paper-safe-secure-payments-master card-approach-usaCMR WORLD TECH
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Donald E. Hester
 
Banking & Lending AI Use Cases
Banking & Lending AI Use CasesBanking & Lending AI Use Cases
Banking & Lending AI Use CasesArtivatic.ai
 
PCI Compliance Seminar
PCI Compliance SeminarPCI Compliance Seminar
PCI Compliance Seminardlinehan2
 
Data breach at Target, demystified.
Data breach at Target, demystified.Data breach at Target, demystified.
Data breach at Target, demystified.Cyphort
 
Trading Target Stock after the Data Breach
Trading Target Stock after the Data BreachTrading Target Stock after the Data Breach
Trading Target Stock after the Data BreachInvestingTips
 
The good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachThe good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachUlf Mattsson
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Joseph White MPA CPM
 

More Related Content

What's hot

Credit Card Fraud Detection System: A Survey
Credit Card Fraud Detection System: A SurveyCredit Card Fraud Detection System: A Survey
Credit Card Fraud Detection System: A SurveyIJMER
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Rapid7
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Anil Jain
 
Payments Card Fraud Challenges in Digital and Online Sales
Payments Card Fraud Challenges in Digital and Online SalesPayments Card Fraud Challenges in Digital and Online Sales
Payments Card Fraud Challenges in Digital and Online SalesChristopher Uriarte
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI WonderlandMichele Chubirka
 
eCommerce_Product_Overview_Brochure_-_0816
eCommerce_Product_Overview_Brochure_-_0816eCommerce_Product_Overview_Brochure_-_0816
eCommerce_Product_Overview_Brochure_-_0816Michael Vaillancourt
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
Don't Get Hacked! Know the Risks of Accepting Credit Cards
Don't Get Hacked! Know the Risks of Accepting Credit CardsDon't Get Hacked! Know the Risks of Accepting Credit Cards
Don't Get Hacked! Know the Risks of Accepting Credit CardsBrown Smith Wallace
 
Microdecision Making in Financial Services - Greg Lamp @ PAPIs Connect
Microdecision Making in Financial Services - Greg Lamp @ PAPIs ConnectMicrodecision Making in Financial Services - Greg Lamp @ PAPIs Connect
Microdecision Making in Financial Services - Greg Lamp @ PAPIs ConnectPAPIs.io
 
Icp Introduction To E Commerce Merchants September2009 Slide Share
Icp Introduction To E Commerce Merchants September2009 Slide ShareIcp Introduction To E Commerce Merchants September2009 Slide Share
Icp Introduction To E Commerce Merchants September2009 Slide Sharemattmullen
 
Be prepared to deal with fraud for web
Be prepared to deal with fraud for webBe prepared to deal with fraud for web
Be prepared to deal with fraud for webKatie Farrow
 
White paper-safe-secure-payments-master card-approach-usa
White paper-safe-secure-payments-master card-approach-usaWhite paper-safe-secure-payments-master card-approach-usa
White paper-safe-secure-payments-master card-approach-usaCMR WORLD TECH
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Donald E. Hester
 
Banking & Lending AI Use Cases
Banking & Lending AI Use CasesBanking & Lending AI Use Cases
Banking & Lending AI Use CasesArtivatic.ai
 
PCI Compliance Seminar
PCI Compliance SeminarPCI Compliance Seminar
PCI Compliance Seminardlinehan2
 

What's hot (18)

Credit Card Fraud Detection System: A Survey
Credit Card Fraud Detection System: A SurveyCredit Card Fraud Detection System: A Survey
Credit Card Fraud Detection System: A Survey
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
 
Sploitego
SploitegoSploitego
Sploitego
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017
 
Payments Card Fraud Challenges in Digital and Online Sales
Payments Card Fraud Challenges in Digital and Online SalesPayments Card Fraud Challenges in Digital and Online Sales
Payments Card Fraud Challenges in Digital and Online Sales
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
 
eCommerce_Product_Overview_Brochure_-_0816
eCommerce_Product_Overview_Brochure_-_0816eCommerce_Product_Overview_Brochure_-_0816
eCommerce_Product_Overview_Brochure_-_0816
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)
 
Don't Get Hacked! Know the Risks of Accepting Credit Cards
Don't Get Hacked! Know the Risks of Accepting Credit CardsDon't Get Hacked! Know the Risks of Accepting Credit Cards
Don't Get Hacked! Know the Risks of Accepting Credit Cards
 
Microdecision Making in Financial Services - Greg Lamp @ PAPIs Connect
Microdecision Making in Financial Services - Greg Lamp @ PAPIs ConnectMicrodecision Making in Financial Services - Greg Lamp @ PAPIs Connect
Microdecision Making in Financial Services - Greg Lamp @ PAPIs Connect
 
Information security
Information securityInformation security
Information security
 
Icp Introduction To E Commerce Merchants September2009 Slide Share
Icp Introduction To E Commerce Merchants September2009 Slide ShareIcp Introduction To E Commerce Merchants September2009 Slide Share
Icp Introduction To E Commerce Merchants September2009 Slide Share
 
Be prepared to deal with fraud for web
Be prepared to deal with fraud for webBe prepared to deal with fraud for web
Be prepared to deal with fraud for web
 
White paper-safe-secure-payments-master card-approach-usa
White paper-safe-secure-payments-master card-approach-usaWhite paper-safe-secure-payments-master card-approach-usa
White paper-safe-secure-payments-master card-approach-usa
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010
 
Banking & Lending AI Use Cases
Banking & Lending AI Use CasesBanking & Lending AI Use Cases
Banking & Lending AI Use Cases
 
PCI Compliance Seminar
PCI Compliance SeminarPCI Compliance Seminar
PCI Compliance Seminar
 

Viewers also liked

Data breach at Target, demystified.
Data breach at Target, demystified.Data breach at Target, demystified.
Data breach at Target, demystified.Cyphort
 
Trading Target Stock after the Data Breach
Trading Target Stock after the Data BreachTrading Target Stock after the Data Breach
Trading Target Stock after the Data BreachInvestingTips
 
The good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachThe good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachUlf Mattsson
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Joseph White MPA CPM
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachUlf Mattsson
 
The Anatomy of a Data Breach
The Anatomy of a Data BreachThe Anatomy of a Data Breach
The Anatomy of a Data BreachDavid Hunt
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachTeri Radichel
 
Biggest Data Breaches of 2013
Biggest Data Breaches of 2013Biggest Data Breaches of 2013
Biggest Data Breaches of 2013Mihajlo Prerad
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response TriageAlbert Hui
 
Data Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot SeatData Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot SeatResilient Systems
 
Online Marketing Strategy for Timeshare Rentals & Resales
Online Marketing Strategy for Timeshare Rentals & ResalesOnline Marketing Strategy for Timeshare Rentals & Resales
Online Marketing Strategy for Timeshare Rentals & ResalesHansen Hunt
 
Golden globes overview -prom dresses 2013 trends
Golden globes overview -prom dresses 2013 trends Golden globes overview -prom dresses 2013 trends
Golden globes overview -prom dresses 2013 trends bejamin9
 
Wedding decoration and favors
Wedding decoration and favorsWedding decoration and favors
Wedding decoration and favorsbejamin9
 

Viewers also liked (16)

Data breach at Target, demystified.
Data breach at Target, demystified.Data breach at Target, demystified.
Data breach at Target, demystified.
 
Trading Target Stock after the Data Breach
Trading Target Stock after the Data BreachTrading Target Stock after the Data Breach
Trading Target Stock after the Data Breach
 
The good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachThe good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breach
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014
 
Target PDF
Target PDFTarget PDF
Target PDF
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breach
 
The Anatomy of a Data Breach
The Anatomy of a Data BreachThe Anatomy of a Data Breach
The Anatomy of a Data Breach
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target Breach
 
Biggest Data Breaches of 2013
Biggest Data Breaches of 2013Biggest Data Breaches of 2013
Biggest Data Breaches of 2013
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response Triage
 
Data Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot SeatData Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot Seat
 
Graphics By Jacqueline2 E
Graphics By Jacqueline2 EGraphics By Jacqueline2 E
Graphics By Jacqueline2 E
 
Online Marketing Strategy for Timeshare Rentals & Resales
Online Marketing Strategy for Timeshare Rentals & ResalesOnline Marketing Strategy for Timeshare Rentals & Resales
Online Marketing Strategy for Timeshare Rentals & Resales
 
Golden globes overview -prom dresses 2013 trends
Golden globes overview -prom dresses 2013 trends Golden globes overview -prom dresses 2013 trends
Golden globes overview -prom dresses 2013 trends
 
Wedding decoration and favors
Wedding decoration and favorsWedding decoration and favors
Wedding decoration and favors
 
Wanted & available
Wanted & availableWanted & available
Wanted & available
 

Similar to The Target Breach – Follow The Money

The Target Breach - Follow The Money EU
The Target Breach - Follow The Money EUThe Target Breach - Follow The Money EU
The Target Breach - Follow The Money EUResilient Systems
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsNetSquared Vancouver
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
Understanding the impact of your fraud strategy
Understanding the impact of your fraud strategy Understanding the impact of your fraud strategy
Understanding the impact of your fraud strategy European Merchant Services
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Donald E. Hester
 
2015 Payments Law Update
2015 Payments Law Update2015 Payments Law Update
2015 Payments Law UpdateJonathan Wegner
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfssuserbcc088
 
Learn Some Terms Used In Credit Card Processing
Learn Some Terms Used In Credit Card ProcessingLearn Some Terms Used In Credit Card Processing
Learn Some Terms Used In Credit Card Processingitio Innovex Pvt Ltv
 
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI MeasuresWhite Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI MeasuresNisum
 
Hack in Cash out OWASP London
Hack in Cash out OWASP LondonHack in Cash out OWASP London
Hack in Cash out OWASP LondonPayment Village
 
Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...
Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...
Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...Blackbaud Pacific
 
CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15E Andrew Keeney
 
Payment Card Cashiering for Local Governments 2016
Payment Card Cashiering for Local Governments 2016Payment Card Cashiering for Local Governments 2016
Payment Card Cashiering for Local Governments 2016Donald E. Hester
 
Webinar - Navigating Payment Processing for Nonprofits - 2015-07-23
Webinar - Navigating Payment Processing for Nonprofits - 2015-07-23Webinar - Navigating Payment Processing for Nonprofits - 2015-07-23
Webinar - Navigating Payment Processing for Nonprofits - 2015-07-23TechSoup
 
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docxAssignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docxtrippettjettie
 

Similar to The Target Breach – Follow The Money (20)

The Target Breach - Follow The Money EU
The Target Breach - Follow The Money EUThe Target Breach - Follow The Money EU
The Target Breach - Follow The Money EU
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profits
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
Understanding the impact of your fraud strategy
Understanding the impact of your fraud strategy Understanding the impact of your fraud strategy
Understanding the impact of your fraud strategy
 
What is A Smart Card
What is A Smart CardWhat is A Smart Card
What is A Smart Card
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010
 
2015 Payments Law Update
2015 Payments Law Update2015 Payments Law Update
2015 Payments Law Update
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
 
Credit Card Fraud PPT - Reena Prajapati.pptx
Credit Card Fraud PPT - Reena Prajapati.pptxCredit Card Fraud PPT - Reena Prajapati.pptx
Credit Card Fraud PPT - Reena Prajapati.pptx
 
Learn Some Terms Used In Credit Card Processing
Learn Some Terms Used In Credit Card ProcessingLearn Some Terms Used In Credit Card Processing
Learn Some Terms Used In Credit Card Processing
 
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI MeasuresWhite Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
 
The Top 25 Payment Processing Terms
The Top 25 Payment Processing TermsThe Top 25 Payment Processing Terms
The Top 25 Payment Processing Terms
 
Hack in Cash out OWASP London
Hack in Cash out OWASP LondonHack in Cash out OWASP London
Hack in Cash out OWASP London
 
Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...
Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...
Manage a Recurring Gift Process and Implement PCI Compliance with The Raiser’...
 
CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15
 
Cybersecurity Workshop
Cybersecurity Workshop Cybersecurity Workshop
Cybersecurity Workshop
 
Payment Card Cashiering for Local Governments 2016
Payment Card Cashiering for Local Governments 2016Payment Card Cashiering for Local Governments 2016
Payment Card Cashiering for Local Governments 2016
 
Webinar - Navigating Payment Processing for Nonprofits - 2015-07-23
Webinar - Navigating Payment Processing for Nonprofits - 2015-07-23Webinar - Navigating Payment Processing for Nonprofits - 2015-07-23
Webinar - Navigating Payment Processing for Nonprofits - 2015-07-23
 
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docxAssignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
Assignment 1Assignment 1 Bottling Company Case StudyDue Week.docx
 

More from Resilient Systems

You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentResilient Systems
 
Co3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions WebinarCo3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions WebinarResilient Systems
 
By Popular Demand: Co3's Latest and Greatest Features
By Popular Demand: Co3's Latest and Greatest Features By Popular Demand: Co3's Latest and Greatest Features
By Popular Demand: Co3's Latest and Greatest Features Resilient Systems
 
Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Resilient Systems
 
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits Resilient Systems
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaResilient Systems
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response FunctionResilient Systems
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
EU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response ImperativeEU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response ImperativeResilient Systems
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response PlanResilient Systems
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceResilient Systems
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 DaysResilient Systems
 
How To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their TracksHow To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their TracksResilient Systems
 
A Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsA Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsResilient Systems
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightResilient Systems
 
Treat a Breach Like a Customer, Not a Compliance Issue
Treat a Breach Like a Customer, Not a Compliance IssueTreat a Breach Like a Customer, Not a Compliance Issue
Treat a Breach Like a Customer, Not a Compliance IssueResilient Systems
 
You're Breached: Information Risk Analysis for Today's Threat Landscape
You're Breached: Information Risk Analysis for Today's Threat LandscapeYou're Breached: Information Risk Analysis for Today's Threat Landscape
You're Breached: Information Risk Analysis for Today's Threat LandscapeResilient Systems
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyResilient Systems
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 

More from Resilient Systems (20)

You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The Incident
 
Co3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions WebinarCo3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions Webinar
 
By Popular Demand: Co3's Latest and Greatest Features
By Popular Demand: Co3's Latest and Greatest Features By Popular Demand: Co3's Latest and Greatest Features
By Popular Demand: Co3's Latest and Greatest Features
 
Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents
 
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a Panacea
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
EU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response ImperativeEU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response Imperative
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
 
5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 Days
 
How To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their TracksHow To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their Tracks
 
A Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsA Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 Predictions
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It Right
 
Treat a Breach Like a Customer, Not a Compliance Issue
Treat a Breach Like a Customer, Not a Compliance IssueTreat a Breach Like a Customer, Not a Compliance Issue
Treat a Breach Like a Customer, Not a Compliance Issue
 
You're Breached: Information Risk Analysis for Today's Threat Landscape
You're Breached: Information Risk Analysis for Today's Threat LandscapeYou're Breached: Information Risk Analysis for Today's Threat Landscape
You're Breached: Information Risk Analysis for Today's Threat Landscape
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The Ugly
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response Program
 

Recently uploaded

Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 

Recently uploaded (20)

Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 

The Target Breach – Follow The Money

  • 1. The Target Breach – Follow The Money
  • 2. Agenda • Introductions • How The Money Flows • The Fraud Cycle: Who wins? Who Loses? • The Target Attack • The Aftermath Page 2
  • 3. Introductions: Today’s Speakers • Mark D. Rasch, Esq., Chief Privacy Officer, SAIC • Ted Julian, Chief Marketing Officer, Co3 Systems Page 3
  • 4. The complete process – based on E.R. standards PREPARE Improve Organizational Readiness ASSESS Identify and Evaluate Incidents • • • • • • • • • • Appoint team members Fine-tune response SOPs Escalate from existing systems Run simulations (firedrills / table tops) Assign appropriate team members Evaluate precursors and indicators Correlate threat intelligence Track incidents, maintain logbook Prioritize activities based on criticality Generate assessment summaries MANAGE Contain, Eradicate, and Recover MITIGATE Document Results & Improve Performance • Generate real-time IR plan • Coordinate team response • Choose appropriate containment strategy • Isolate and remediate cause • Instruct evidence gathering and handling • Log evidence • Generate reports for management, auditors, and authorities • Conduct post-mortem • Update SOPs • Track evidence • Evaluate historical performance • Educate the organization Page 4
  • 6. Intro • When a cardholder uses a credit card to purchase merchandise, the transaction moves through a process that involves authorization, clearing and settlement. • Each step of the process involves an exchange of transaction data and money that must be settled and balanced. • This process ends when the cardholder pays for the merchandise listed on his/her monthly statement. Page 6
  • 7. Dramatis Persona • Cardholder – The consumer who owns the card. • Merchant – An entity that contracts with an Acquiring Processor to originate transactions. • Acquiring Processor – An entity that communicates to Visa to gain approvals to complete cardholder transactions. Processor is an acquiring processor. • Visa - The largest association member. Visa is the largest payment system, enabling 14,000 financial institutions to process over $1 trillion in annual transaction volume. • Issuing Bank – The financial institution who issues the credit card. For example, CapitalOne, Chase, Wells Fargo. Page 7
  • 8. Other Parties (who can I blame?) • Software vendor – creates and/or maintains general software • CRM vendors and contractors – hired by merchant to maintain Customer Relations Management (CRM) data which feeds into POS terminal • POS Terminal Vendor – supplier of POS terminals, related software, maintenance and support • PCI/DSS-PA/DSS Assessor – assesses and certifies compliance with PCI DSS standards • IT Security Staff/Consultants – conducted pen tests, other assessments • IT Audit (internal/external) • Third party vendors with access to Target network (HVAC) • Don’t forget insurers! Page 8
  • 9. The Credit Card Transaction Process – Where does the data go? • Step 1 - Authorization Cardholder makes a purchase using a credit card. The merchant must obtain authorization for the purchase from the bank who issued the card. • Step 2 - Clearing If the transaction is approved, the next step is clearing. In this phase, the Issuing Bank obtains basic transaction data from the merchant such as the amount, date and location of the purchase. This data is then sent to the credit card issuer for posting to the monthly credit card statement. • Step 3 - Settlement In the final step, settlement, the funds are collected from the Issuing Bank and transmitted to the merchant. When a consumer uses a credit card, the merchant does not receive payment at the time of purchase. The bank credits the merchant’s bank account. The bank then sends payment to the processor who sends the payment to Visa. The cardholder receives a monthly statement and settles with Visa for purchases made using the credit card. Page 9
  • 10. The Four Party Model (Debit Card) Purchase goods / services using card payment instrument Cardholder Merchant Transaction Fees Merchant Service Charge Settlement & Payment Services Convenience & payment instrument Card Payment Facility Settlement & Risk Bearing Issuer Acquirer Interchange Fee 2/6/2014 Page 10
  • 12. Fraud Flow Issuer issues cc to consumer – not secure because of cost Consumer fails to protect cc because of zero liability Consumer uses cc at Target store Some of the proceeds used to finance new hacks Hacker steal number and sells Hackers post stolen credit cards on multiple “carder” forums around the world. The card numbers are purchased and sold within minutes/hours of their having been stolen The purloined products are sold on online auction sites Mules purchase goods (or services) online or offline Consumer swipes card at POS Carder “mules” use the bogus cards at ATM’s or stores worldwide Page 12 Carders distribute these bogus cards worldwide Carders use machines to create new “bogus” credit cards $
  • 13. Losers • Issuer – reissue millions of card, call centers 24/7 at Christmas • Consumer – loss of confidence, anxiety, monitoring, inconvenience – possible $50 loss • Target – massive dollar loss, cost of investigation, PCI DSS “fines,” AG investigations, loss of reputation, loss of confidence • Target Stockholders – loss of share price (short and long term) • POS Vendor/Processor – Possible liability (but look at contracts) • Third party merchants – out sales, cardmember “present” vs. cardmember “not present” transactions. • Manufacturers – lost sales because of fraudulent purchases • Insurers – indemnify each of these parties • Web/E-commerce merchants – fraudulent sales • PCI DSS Certification entity Page 13
  • 14. SEC Disclosure • Target stock price (6 month) • TJX (5 year) • Heartland Payment (5 year) Item 1A. Risk Factors There have been no material changes to the risk factors described in our Annual Report on Form 10-K for the fiscal year ended February 2, 2013. Page 14
  • 17. Friendly Letters From Congress Page 17
  • 19. Winners • • • • • • • • • • • • Verizon business FBI/USSS Experian Data breach notification companies WalMart or competitors Hackers! Next Gen Payment System vendors Security Vendors/Consultants Forensic investigators Brian Krebs Cyber-insurance sellers Lawyers Page 19
  • 20. Finger Pointing – Target vs. Issuers • Target – it’s credit card issuer’s fault for having insecure “magstripe” credit cards (to save infrastructure costs). Target tried to push “Chip & PIN” cards but had resistance from banks. Upgrade Target alone to Chip & PIN = $100 million. • Banks – it’s merchant’s fault because of faulty security and trust models – PCI DSS violations. • In 2012 banks bore 63% of fraudulent losses; Merchants 37%* • Bank losses from counterfeit cards; Merchant loses from (CNP) transactions on the Web, at a call center or through mail order. • BUT – goal is NOT to prevent/reduce fraud! Goal is to enhance consumer confidence. * (Source: Nilson Report, August 2013) Page 20
  • 21. POLL
  • 23. Threat model • Attacker types • Class I: Clever outsiders • Intelligent, but lack information, exploit known attack • Class II: Knowledgeable insiders • Have inside information on protocols/design, can use sophisticated tools • Class III: Funded organizations • Have information, resources, equipment, and incentives • Can employ class II attackers in teams Page 23
  • 24. Attacker Goals • To get the crypto keys stored in RAM or ROM • To learn the secret crypto algorithm used • To obtain other information stored into the chip (e.g. PINs) • To modify information on the card (e.g. calling card balance) Page 24
  • 25. Methodology • Obtain access – likely SQL injection • Obtain data – likely RAM scraper (inter-process communications hook) • Aggregate data – create internal shared drive / use vendor hard-coded credentials (BMC) • Store data - create password-protected root access remote file server with additional services • Exfiltration - FTP or other access to remote file share (Cuckoo’s Egg) Page 25
  • 26. PIN Processing Transaction PIN Flow Diagram … PIN is Decrypted using the Acquirer/Working Key … And then Encrypted by the Issuer Working Key which is shared with the Card Issuer. Card Holder Uses Debit Card (ATM/POS) & Enters PIN PED or Payment Terminal Encrypts the PIN using the PIN Encryption Key already Injected within the device. When PIN is Validated, Final Transaction Occurs. Issuer PIN is Decrypted using the same Key … (And then Encrypted by the Acquirer/Working Key which may be shared with Acquirer/Acquirer VisaNet or other Processor Network.) PIN is Decrypted using the Issuer Key … And then Validates the PIN. Page 26
  • 27. PIN Weaknesses • 4 digit PIN = 10k+ possible combinations (good) • But > 10% of random PINs = 1234. Expanding a bit, 1234, 0000, and 1111 = 20% • 26.83% of passwords can be cracked using the top 20 combinations. • Birthday years are big. The 1900 PINS--1986, 1960, 1991, and so on--are extremely popular, with PINs from later in the century used the most. • 17.8% = couplets, such as 7878, 8181 • And don’t forget 2580 Page 27
  • 28. Skimmers • Other ways to get physical attack • Collects, stores and transmits • Magstripe data • Unencrypted PIN data • Easy to install but needs physical access to device • Can transmit data by Bluetooth, TCP/IP or store and dump • New devices look exactly like regular pin pads, card slots Page 28
  • 30. Target Timeline Hackers break in using credentials from PA HVAC contractor DOJ Contacts Target to inform them of the breach Target meets with DOJ USSS Target notifies payment processors and card brands – begins malware removal More malware removed from 25 disconnected terminals Page 30 Public breach notification Target retains investigators
  • 31. What We THINK We Know • Attack included POS Malware • "Kaptoxa" ("potatoe" - in russian slang), renamed "DUMP MEMORY GRABBER by Ree[4]" • "BlackPOS"("ree4") has sold more then 40 builds of BlackPOS to cybercriminals from Eastern Europe and other countries, including the owners of underground credit cards shops such as ".rescator", "Track2.name", "Privateservices.biz" and many others. • BlackPOS/Kartoxa versions and mods sold on black market in source code Page 31
  • 34. Meet the Author Rinat Shabaev Page 34
  • 35. The Weakest Link • Hackers broke into Target’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems. • Why did HVAC contractor have/need network credentials? • Why was this linked to CRM/Payment database? • What vulnerability let hackers in to Fazio’s computers? Page 35
  • 36. Timeline • Nov. 15 (Thanksgiving) and Nov. 28 (day before Black Friday), hackers upload RAM scraping software to small number of POS terminals at Target. • Hackers test POS hack to make sure it works. • Nov. 30 – expand to majority of POS devices. • Nov. 30 – collect from live transactions. • Nov. 30 – December 15 – collect and dump – • FTP from Russia? • Dump to hacked computer in Miami • Hacked drop server in Brazil. Page 36
  • 37. Anatomy of a Carder Network • Multiple Parts – Multiple Actors • Trojan/Malware design • Access/Hack • Malware injection – social network? • Exploitation/harvesting • Acquisition of data and selling of data • Conversion of data to cards/goods/services • Conversion of goods/services to money • Distribution of money Page 37
  • 38. Curiosities of Target Hack • Obtained PIN – suggest hack at POS • BUT – obtained e-mail addresses – suggest at CRM • Hacked tens of millions – suggest aggregated data • BUT attack profile suggests individual POS attacked • Targeted to Target’s software BUT • Multiple entities compromised Page 38
  • 39. Breach Aftermath • Breach affected two types of data: • payment card data of 40 million who shopped at Target US Stores from November 27 through December 18 • personal data (name, mailing address, phone number or email address) of 70 million people. • Hacker stole a vendor’s credentials to access Target system • Placed malware on POS terminals. • Designed to capture payment card data from the magnetic strip of credit and debit cards prior to encryption within Target system. • Malware also captured encrypted PIN data. Page 39
  • 40. Target Responses 1. 2. 3. 4. 5. 6. 7. 8. End-to-end review of security of network. Increased fraud detection for Target REDcard customers. Reissuing new Target credit or debit cards to any customer who requests one. Offering one year of free credit monitoring and identity theft protection to anyone who has ever shopped at our U.S. Target stores. Includes free credit report, daily credit monitoring, identity theft insurance and unlimited access to personalized assistance from fraud resolution agent. Told customers to monitor accounts, and that there is zero liability. Adding PIN and Chip for Target REDcards and POS. $5MM for BBB and National Cyber Security Alliance and the National Cyber-Forensics & Training Alliance to advance public education around cybersecurity and the dangers of consumer scams. Launch a retail industry Cybersecurity and Data Privacy Initiative that will be focused on informing public dialogue and enhancing practices related to cybersecurity, improved payment security and consumer privacy. Page 40
  • 41. POLL
  • 43. It ‘aint over • Neiman Marcus, Michaels, and others • FBI January 17 report: "Recent Cyber Intrusion Events Directed Toward Retail Firms." • "We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it” • "The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cyber crime attractive to a wide range of actors," the FBI said. • Malware was being sold online for over a year for about $2,000 • 1/30 2014 – millions of Yahoo! passwords stolen Page 43
  • 44. Enforcement Actions • Federal Trade Commission – Section 5 of FTC Act • Enforce privacy policies and challenge data security practices that cause substantial consumer injury • State Attorney General – State Notification Statutes • Connecticut: “Failure to comply . . . shall constitute an unfair trade practice . . .” • Virginia: “The Attorney General may bring an action to address violations.” Moreover, “nothing in this section shall limit an individual from recovering direct economic damages”. • Litigation in federal or state courts Page 44
  • 45. Litigation Unusual Court Rulings • Ruiz v. Gap, Inc., 540 F. Supp. 2d 1121 (N.D. Cal. 2008). • Laptop computer stolen, which contained approximately 800,000 Gap job applications (including name and social security no.) • Court denied defendant’s motion for summary judgment and held that plaintiff “has alleged injury in fact” to establish standing • “Increased risk of identity theft” constituted sufficient “injury in fact” Page 45
  • 46. Litigation Unusual Court Rulings • Caudle v. Towers, Perrin, Forster & Crosby, 580 F. Supp. 2d 273 (S.D.N.Y. 2008). • Laptop computer stolen from employer’s pension consultant, which contained personal information (including name and social security no.) • Court granted defendant’s motion for summary judgment and dismissed claims for negligence and breach of fiduciary duty • Court denied motion with respect to claim that plaintiff was third-party beneficiary between defendant and plaintiff’s employer Page 46
  • 47. Send In the Insurers • Target self-insured for the first $10 million • $15 million of excess coverage with Ace Ltd.; • $15 million layer with American International Group Inc.; • $10 million layer with Bermuda-based Axis Capital Holdings Ltd.; • Another $10 million coverage layer with AIG; • Quota share for the next $40 million of cyber insurance divided among four unidentified insurers. • Executive liability = $10 million self-insured retention; then $25 million in primary D&O coverage with AIG; then $15 million of coverage with Ace; and then $15 million of coverage with the Hartford, Conn.-based based Travelers Cos. Inc. Page 47 Target could be facing losses of up to $420 million
  • 49. “Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICE “One of the hottest products at RSA…” NETWORK WORLD – FEBRUARY 2013 One Alewife Center, Suite 450 Cambridge, MA 02140 PHONE 617.206.3900 WWW.CO3SYS.COM “Co3…defines what software packages for privacy look like.” GARTNER “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE Mark D. Rasch, Esq. Mark.D.Rasch@saic.com (301) 547-6925