For those who follow my writings on security-related matters, you know that when there is breaking news I usually am quick to jump. However, in the case of the Target credit card breach which is now nearing the one week mark, surprisingly there is still a lot we do not know. And, while speculation, lawsuits and reports about black market sales of stolen account information are making headlines it seems like a good time to take a deep breath and take stock of where we are and see where we are heading.

What we know 

Quickly here is what we do know:

• On December 19 it was revealed that fraudsters had breached the U.S.-based retail giant’s security systems. The theft of information occurred from November 27 through December 15 from the company which recently reported $1.6 billion in profits on $51 billion in sales for the 9 month period ending November 2, 2013.
• This set off an investigation by the U.S. Secret Service. Estimates are that up to 40 million accounts were at risk.  Possibly all of the retailer’s 40,000 credit card swiping device in its 1,797 U.S. stores, plus 124 in Canada may have been at compromised.
• As the news spread, Target CEO Gregg Steinhafel in a statement offered: an apology to customers for the fact that this happened; another apology for customer’s inability to reach a company representative; a number to call if a customer saw unauthorized activity on their account; and, a 10 percent discount through the holiday shopping season as a way to mollify irate consumers and hopefully keep them buying.
• He also stated regarding the problems that the source of them: “Has been identified and eliminated." He provided an additional sweetener saying: "Most importantly, we want to reassure guests that they will not be held financially responsible for any credit and debit card fraud. And to provide guests with extra assurance, we will be offering free credit monitoring services. We will be in touch with those impacted by this issue soon on how and where to access the service."
• As of this writing over one dozen class-action lawsuits have already been filed, the Attorney Generals in Connecticut, Massachusetts, New York and South Dakota have asked Target for information about the breach which is the first step in what could be a multi-state investigation, and to say the least the U.S. Senate is asking a lot of questions as well.
• Bank card companies have put limits on Target purchases to protect themselves, some of which have been raised but only slightly.
• Target sales plummeted by roughly 4 percent over the past busy shopping weekend while competitor’s sales have been strong.
• Last and certainly not least, there are numerous reports of possibly millions of stolen credit and debit card information from the breach showing up on the black market with stolen cards going from $20 to $100 depending upon the valuation put on the accounts based on the fraudulently reproduced cards.

Here is what we do not know   

The reason for waiting on writing about all of this is that until the dust clears a bit more there is a lot we do not know. The list is long. However, a few that stand out are contained below.

What is the actual nature of the attack? If for example all 40,000 POS terminals were compromised, how was it done? The speculation has been that it happened when account information was on the fly between the point-of-sale POS) terminals and the financial institutions involved in a given transaction, i.e., the card holders bank and the bank that actually pays the retailer.  This is the most likely target (pardon the pun) because it is the easiest way to compromise so many accounts, but Target would be well advised to say exactly what happened.

How did how Target “identified and eliminated” the source of the breach? If Target is to restore trust it needs to come clean on this subject. Based on what security professionals are saying about vectors of vulnerability, e.g., the POS terminals and the lack of network security this is not a quick fix situation. It will take time and money, and the likelihood is the Target brand will remain tarnished until it really can assure customers their transactional data is secure.

The lack of security according to security professionals is appalling as well as symptomatic of a U.S.-centric issue. As the Associated Press (AP) reported in an extremely well-documented posting, the calculus for improving security still does not out-weigh the costs of being hit. As AP noted, “While global credit and debit card fraud hit a record $11.27 billion last year, those costs accounted for just 5.2 cents of every $100 in transactions, according to the Nilson Report, which tracks global payments.”

This leads to the further observation that a) it does not pay to improve security, and b) there is a huge disagreement between retailers and card issuers as to who should pay for an upgrade. This leaves open the question as to whether the latest breach is enough to stop business as usual.

Why was there seemly no encryption? While going toward an almost fail-safe security system may be expensive, the lack of encrypting communications between stores and financial institutions seems like a no-brainer and transactions are bi-directional seems like a cost that could be assumed in some measure by all parties. Why such a huge retailer as Target with so much literally and figuratively on the line did not at least implement itself and demand from credit and debit card issuers the ability to send and receive encrypted information is almost unfathomable.

The public relations handling of this situation has been a classic case of “what not to do.”  Target is one of the biggest and best marketing organizations and to blow the pr on this hopefully means heads will roll. Public Relations 101 says, “Get ahead of the story.”  Target appears to have known they had a problem starting back in late November. It was not until the problems became public that they reacted. One would have thought given how poorly all of the high profile data breaches have been handled this past year that Target would have learned a lesson. They did not enough said.

A word from the wise    

As you can well imagine, my inbox has been flooded with advice from security experts (thank you all BTW) on what happened and what other merchants need to do to better protect themselves. And, while waiting for the credit card companies to reissue their cards with microchips (as is done in Europe and other parts of the world which acts as a huge deterrent) instead of the easily duplicated magnetic strips which make not just Target but almost all U.S. retailers open for exploitation, the one I liked a lot was from Mark Bower, vice president of product management at Voltage Security.

Bower gave a somewhat technical description of what to do which resonates because it has proven to be effective for thousands of retailers, and it addresses the cost issue.

“There are two points in the retail chain where attacks typically take place – the POS or the payment switching back end. POS systems are often the weak link–usually running a standard OS and thus subject to exploits and zero-day attacks if exposed to a malware delivery channel such as a browser, a compromised POS management system, patch system or worse, from an insider.

In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems. As a POS and checkout are in constant use especially around high volume periods like Black Friday, they are less frequently patched and updated and thus vulnerable. 

The good news is that there is a way to prevent this very efficiently. Savvy retailers are already tackling this risk by giving the malware nothing to steal. Point-to-point encryption (P2PE) from the instant the card data is read, addresses this risk by encrypting all the payment card data before it even gets to the POS. If the POS is breached, the data will be useless to the attacker.  Tokenization can eliminate live data from post authorization retail processes like warranty and returns yet enable business processes to still operate as before – even at Black Friday scale. No live data means no gold to steal.

“…And with EMV (Europay, MasterCard and Visa) on the horizon to make it much harder to counterfeit physical cards from stolen data, and with P2PE and Tokenization to protect the card data in the retail flow, merchants can turn the tables on data breaches in a major way. With the significant reduction in the cost of PCI compliance, there’s also an ROI to justify it in addition to avoiding the cost and complications of remediating 40 million breached cards as in this case.”

For those unfamiliar with EMV, it is a global standard for inter-operation of integrated circuit cards and IC card readers, POS as well as ATMs) for securely authenticating transactions. When implemented on a credit or debit card it has come to be known as the “Smart Card.”  In addition, Visa and MasterCard have also developed standards for using EMV cards in devices to support card-not-present transactions over the telephone and Internet. As noted, EMV has been used for several years, particularly in Europe but has not been implemented in the U.S. 

EMV is not totally “fail safe” since researchers have demonstrated the theoretical possibility of a man-in-the-middle attack. However, it does the one thing security professionals always advise, it makes it very hard and expensive for the bad guys which means they will look elsewhere for low hanging fruit.

In short, there are solutions to the problems the Target attack has exposed that make sense from a security perspective.  When the economic damage done to the Target brand is totaled it is likely that the calculus for a lack of adequate prevention will show that there has been a significant miscalculation. This is not merely looking at direct fraud costs (the value of the transactions themselves) versus the cost of protection. It is about the value of the brand as well. 

Target happened to be the target this time, but that is more a matter of timing and audaciousness than them being an isolated instance to be exploited.  As industry observers have correctly noted, the U.S. retail market is a “target-rich” environment for such mischief.  It is for this reason that this latest breach had better serve as an urgent wake-up call to the entire electronic payments ecosystem in the U.S.  It is why we need to know as much as possible about what happened so at least some short-term preventive measures can be taken.

Trust is extremely difficult to earn, easy to lose and extraordinarily difficult to regain. Target has cast a pall over all retail transactions and not just on those in its stores or online.  Its lack of responsiveness and transparency has only made matters worse for itself, and the ripple effect is to plant the notion in the minds of consumers as what other retailers may or may not be hiding when credit and debit cards are swiped. 

It seems safe to say that a major trend in 2014 is going to be issues surrounding authentication, identity and privacy.  The financial institutions and retailers need to get over the cost issue and get on with giving all of us peace of mind. To say there is a lot at stake here is a gross under-statement. Let’ hope Target comes clean and quickly and that the reaction is action and not complacency.