Tuesday, February 18, 2014

Been "Targeted?"

It's been a while since I blogged ... amazing how life gets in the way sometimes. Today I want to talk for a bit about the Target data breach that happened last November and December. I won't spend too much time on the technical details (several others have done an outstanding job on that front). Instead, I'll look at it from the "what now?" point of view.

Some background is in order though. Around December 12, 2013, the US Justice Department alerted Target that credit cards used at Target stores were subsequently being used fraudulently. By December 15, Target confirmed the "possibility" of a data breach. After substantial forensic work, a few things are becoming known.

  • The actors behind this breach are likely from Eastern Europe. Or China. Or Brazil. Or Miami. In reality while fingers are pointing at Russia, the only thing credibly published so far is that the malware was written at least partly in Russian (but probably not by the lone 17-year-old credited by some reporters).
  • This was not a spur-of-the-moment event. The malware used to infect the point of sale devices had been around for at least a year, and there is some evidence that early versions of the program showed up in mid 2012. The HP Security Research Blog dissects the BlackPOS malware used in the Target attack, and discusses some of the evolution in that malware from early versions to the sophisticated version used in that attack.
  • The entry point was a HVAC contractor that worked for Target. Large businesses often have contracts with outside companies to monitor heating and cooling, refrigeration for perishables, and overall energy use, as a means of managing overall energy cost and of detecting and responding to failed systems before refrigerated/frozen goods have time to spoil. In such a scenario, the contractor would have some level of access to the industrial control systems network, but secure network design dictates that there must be some separation between the ICS network and the payment processing network.
In this case though, the HVAC vendor states their data connection into Target is for electronic billing and project management, not for ICS operations. Again though, it is an entrance into the Target network and in some manner became the gateway to the more sensitive payment devices.

So, what do we do with this information?

As a consumer, a few things come to mind.
  • Understand the environment we live in today. You can't control what a business does with your data once provided, and you can't control how effectively they protect their own systems. When you decide to share information with someone (whether payment information, personally identifying information, medical information, etc.) your information is only as safe as their policies and their practices.
  • You can however invalidate the data that was taken. It costs banks very little to cancel one credit card number and issue a new number. It costs you nothing except some time (perhaps a lot of time if you have many recurring services billed to that card). If you used a payment card (credit or debit) at a Target store between November 27 and December 15, assume your card info is in the hands of a criminal and will eventually be used. Current reports say the malware infected only POS devices in US stores, but I've not seen any trustworthy reason it could not have reached POS devices in other countries as well.
  • Understand your liability. In the US, the Fair Credit Billing Act limits your liability for credit cards to $50 if you report fraudulent use promptly (and further, limits it to $0 if you report the card stolen before it is used fraudulently). Most banks now guarantee $0 liability for fraudulent use - hence it is in their interest to prevent fraudulent use in the first place. Many banks have sophisticated pattern-tracking systems that detect your typical patterns and will alert if something seems out of the ordinary. If you generally use your card at merchants in Miami, and a charge is recorded in Omaha (or Cambodia), there's a good chance the bank will flag that as suspicious and either call you, or require the merchant to verify your identity.

    The liability law for debit or ATM cards is considerably different. The Electronic Fund Transfer Act limits your liability to $0 if you report the card or number stolen before it is used, and to $50 if you report fraudulent use within 2 days after you learn of the theft. However, after two days your maximum loss increases to $500 - and if not reported within 60 days, you are on the hook for the entire loss.
  • You can take steps to limit your risk. As is clear from the above, one simple step you can use to limit loss liability is to not use an ATM or debit card for purchases (especially if it is an online purchase rather than a face-to-face purchase).
  • You can take additional steps to reduce the risk that your information gets into the wrong hands. While you have no control over what a business does with your information once you provide it, you can reduce the risk that your personal information is stolen while in your possession. As I have written before, some basic home network security practices will go a long way toward keeping you from becoming the easy target.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

1 comment:

  1. Great overview David! The one thing that I think we must all embrace is that we do have influence and the power of choice. We can, through our careful decisions, choose credit vendors and merchants who are responsible and invest in proper security. Although no system is impenetrable, organizations who bolster best in class controls with rapid detection and response will greatly limit the loss. Those who are open, communicate with customers, and quickly move to protect them in the event of a breach will minimize the impact to end-users. This is huge. We have a choice and choose with our wallets. We can choose good ecommerce partners and avoid those who don't think security is very important. They will get the message. We can change the industry with the almighty dollar. Our dollar. But it is up to us to make informed decisions and communicate to the marketplace (even via Twitter, blogging, Facebook, etc.) what we demand when it comes to securing our privacy, assets, and trust.

    ReplyDelete

Note: Only a member of this blog may post a comment.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.