Tuesday, February 18, 2014

Been "Targeted?"

It's been a while since I blogged ... amazing how life gets in the way sometimes. Today I want to talk for a bit about the Target data breach that happened last November and December. I won't spend too much time on the technical details (several others have done an outstanding job on that front). Instead, I'll look at it from the "what now?" point of view.

Some background is in order though. Around December 12, 2013, the US Justice Department alerted Target that credit cards used at Target stores were subsequently being used fraudulently. By December 15, Target confirmed the "possibility" of a data breach. After substantial forensic work, a few things are becoming known.

  • The actors behind this breach are likely from Eastern Europe. Or China. Or Brazil. Or Miami. In reality while fingers are pointing at Russia, the only thing credibly published so far is that the malware was written at least partly in Russian (but probably not by the lone 17-year-old credited by some reporters).
  • This was not a spur-of-the-moment event. The malware used to infect the point of sale devices had been around for at least a year, and there is some evidence that early versions of the program showed up in mid 2012. The HP Security Research Blog dissects the BlackPOS malware used in the Target attack, and discusses some of the evolution in that malware from early versions to the sophisticated version used in that attack.
  • The entry point was a HVAC contractor that worked for Target. Large businesses often have contracts with outside companies to monitor heating and cooling, refrigeration for perishables, and overall energy use, as a means of managing overall energy cost and of detecting and responding to failed systems before refrigerated/frozen goods have time to spoil. In such a scenario, the contractor would have some level of access to the industrial control systems network, but secure network design dictates that there must be some separation between the ICS network and the payment processing network.
In this case though, the HVAC vendor states their data connection into Target is for electronic billing and project management, not for ICS operations. Again though, it is an entrance into the Target network and in some manner became the gateway to the more sensitive payment devices.

So, what do we do with this information?

As a consumer, a few things come to mind.
  • Understand the environment we live in today. You can't control what a business does with your data once provided, and you can't control how effectively they protect their own systems. When you decide to share information with someone (whether payment information, personally identifying information, medical information, etc.) your information is only as safe as their policies and their practices.
  • You can however invalidate the data that was taken. It costs banks very little to cancel one credit card number and issue a new number. It costs you nothing except some time (perhaps a lot of time if you have many recurring services billed to that card). If you used a payment card (credit or debit) at a Target store between November 27 and December 15, assume your card info is in the hands of a criminal and will eventually be used. Current reports say the malware infected only POS devices in US stores, but I've not seen any trustworthy reason it could not have reached POS devices in other countries as well.
  • Understand your liability. In the US, the Fair Credit Billing Act limits your liability for credit cards to $50 if you report fraudulent use promptly (and further, limits it to $0 if you report the card stolen before it is used fraudulently). Most banks now guarantee $0 liability for fraudulent use - hence it is in their interest to prevent fraudulent use in the first place. Many banks have sophisticated pattern-tracking systems that detect your typical patterns and will alert if something seems out of the ordinary. If you generally use your card at merchants in Miami, and a charge is recorded in Omaha (or Cambodia), there's a good chance the bank will flag that as suspicious and either call you, or require the merchant to verify your identity.

    The liability law for debit or ATM cards is considerably different. The Electronic Fund Transfer Act limits your liability to $0 if you report the card or number stolen before it is used, and to $50 if you report fraudulent use within 2 days after you learn of the theft. However, after two days your maximum loss increases to $500 - and if not reported within 60 days, you are on the hook for the entire loss.
  • You can take steps to limit your risk. As is clear from the above, one simple step you can use to limit loss liability is to not use an ATM or debit card for purchases (especially if it is an online purchase rather than a face-to-face purchase).
  • You can take additional steps to reduce the risk that your information gets into the wrong hands. While you have no control over what a business does with your information once you provide it, you can reduce the risk that your personal information is stolen while in your possession. As I have written before, some basic home network security practices will go a long way toward keeping you from becoming the easy target.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen