the target breach – follow the money
Post on 18-Nov-2014
832 Views
Preview:
DESCRIPTION
TRANSCRIPT
The Target Breach –
Follow The Money
Page 2
Agenda
• Introductions
• How The Money Flows
• The Fraud Cycle: Who wins? Who Loses?
• The Target Attack
• The Aftermath
Page 3
Introductions: Today’s Speakers
• Mark D. Rasch, Esq., Chief Privacy Officer, SAIC
• Ted Julian, Chief Marketing Officer, Co3 Systems
Page 4
The complete process – based on E.R. standards
PREPARE
Improve Organizational
Readiness
• Appoint team members
• Fine-tune response SOPs
• Escalate from existing systems
• Run simulations (firedrills / table
tops)
MITIGATE
Document Results &
Improve Performance
• Generate reports for management,
auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
ASSESS
Identify and Evaluate
Incidents
• Assign appropriate team members
• Evaluate precursors and indicators
• Correlate threat intelligence
• Track incidents, maintain logbook
• Prioritize activities based on criticality
• Generate assessment summaries
MANAGE
Contain, Eradicate, and
Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment
strategy
• Isolate and remediate cause
• Instruct evidence gathering and
handling
• Log evidence
THE PROCESS
Page 6
Intro
• When a cardholder uses a credit card to
purchase merchandise, the transaction
moves through a process that involves
authorization, clearing and settlement.
• Each step of the process involves an
exchange of transaction data and money
that must be settled and balanced.
• This process ends when the cardholder
pays for the merchandise listed on his/her
monthly statement.
Page 7
Dramatis Persona
• Cardholder – The consumer who owns the card.
• Merchant – An entity that contracts with an Acquiring Processor to
originate transactions.
• Acquiring Processor – An entity that communicates to Visa to gain
approvals to complete cardholder transactions.
Processor is an acquiring processor.
• Visa - The largest association member. Visa is the largest payment
system, enabling 14,000 financial institutions to process over $1
trillion in annual transaction volume.
• Issuing Bank – The financial institution who issues the credit card.
For example, CapitalOne, Chase, Wells Fargo.
Page 8
Other Parties (who can I blame?)
• Software vendor – creates and/or maintains general software
• CRM vendors and contractors – hired by merchant to maintain
Customer Relations Management (CRM) data which feeds into
POS terminal
• POS Terminal Vendor – supplier of POS terminals, related
software, maintenance and support
• PCI/DSS-PA/DSS Assessor – assesses and certifies compliance
with PCI DSS standards
• IT Security Staff/Consultants – conducted pen tests, other
assessments
• IT Audit (internal/external)
• Third party vendors with access to Target network (HVAC)
• Don’t forget insurers!
Page 9
The Credit Card Transaction Process – Where does
the data go?
• Step 1 - Authorization
Cardholder makes a purchase using a credit card. The merchant must obtain authorization for
the purchase from the bank who issued the card.
• Step 2 - Clearing
If the transaction is approved, the next step is clearing. In this phase, the Issuing Bank obtains
basic transaction data from the merchant such as the amount, date and location of the
purchase. This data is then sent to the credit card issuer for posting to the monthly credit card
statement.
• Step 3 - Settlement
In the final step, settlement, the funds are collected from the Issuing Bank and transmitted to
the merchant. When a consumer uses a credit card, the merchant does not receive payment
at the time of purchase. The bank credits the merchant’s bank account. The bank then sends
payment to the processor who sends the payment to Visa. The cardholder receives a monthly
statement and settles with Visa for purchases made using the credit card.
Page 10
2/6/2014
The Four Party Model (Debit Card)
Cardholder Merchant
Issuer Acquirer
Tra
ns
ac
tio
n
Fe
es
Co
nve
nie
nc
e
& p
aym
en
t
instr
um
en
t
Card Payment Facility
Purchase goods / services
using card payment
instrument
Se
ttlem
en
t &
Pa
ym
en
t
Se
rvic
es
Me
rch
an
t
Serv
ice C
harg
e
Settlement & Risk
Bearing
Interchange Fee
THE FRAUD
CYCLE
Page 12
Fraud Flow
$ Issuer issues cc to
consumer – not secure
because of cost
Consumer fails to
protect cc because of
zero liability
Consumer uses cc at
Target store
Consumer swipes
card at POS
Hacker steal
number and
sells
Hackers post stolen
credit cards on
multiple “carder”
forums around the
world. The card
numbers are
purchased and sold
within minutes/hours
of their having been
stolen
Carders use machines to
create new “bogus” credit
cards Carders distribute these
bogus cards worldwide
Carder “mules” use the
bogus cards at ATM’s or
stores worldwide
Mules purchase goods (or
services) online or offline
The purloined
products are sold
on online auction
sites
Some of the proceeds
used to finance new
hacks
Page 13
Losers
• Issuer – reissue millions of card, call centers 24/7 at
Christmas
• Consumer – loss of confidence, anxiety, monitoring,
inconvenience – possible $50 loss
• Target – massive dollar loss, cost of investigation, PCI DSS
“fines,” AG investigations, loss of reputation, loss of
confidence
• Target Stockholders – loss of share price (short and long
term)
• POS Vendor/Processor – Possible liability (but look at
contracts)
• Third party merchants – out sales, cardmember “present” vs.
cardmember “not present” transactions.
• Manufacturers – lost sales because of fraudulent purchases
• Insurers – indemnify each of these parties
• Web/E-commerce merchants – fraudulent sales
• PCI DSS Certification entity
Page 14
SEC Disclosure
• Target stock price (6 month)
• TJX (5 year)
• Heartland Payment (5 year)
Item 1A. Risk Factors
There have been no material changes to the risk factors
described in our Annual Report on Form 10-K for the fiscal year
ended February 2, 2013.
Page 15
Target Class Actions
Page 16
SEC Disclosure
Page 17
Friendly Letters From Congress
Page 18
Trade Organization Response
Page 19
Winners
• Verizon business
• FBI/USSS
• Experian
• Data breach notification companies
• WalMart or competitors
• Hackers!
• Next Gen Payment System vendors
• Security Vendors/Consultants
• Forensic investigators
• Brian Krebs
• Cyber-insurance sellers
• Lawyers
Page 20
Finger Pointing – Target vs. Issuers
• Target – it’s credit card issuer’s fault for having
insecure “magstripe” credit cards (to save
infrastructure costs). Target tried to push “Chip &
PIN” cards but had resistance from banks.
Upgrade Target alone to Chip & PIN = $100 million.
• Banks – it’s merchant’s fault because of faulty
security and trust models – PCI DSS violations.
• In 2012 banks bore 63% of fraudulent losses;
Merchants 37%*
• Bank losses from counterfeit cards; Merchant loses
from (CNP) transactions on the Web, at a call
center or through mail order.
• BUT – goal is NOT to prevent/reduce fraud! Goal
is to enhance consumer confidence.
* (Source: Nilson Report, August 2013)
POLL
THE ATTACK
Page 23
Threat model
• Attacker types
• Class I: Clever outsiders
• Intelligent, but lack information, exploit known attack
• Class II: Knowledgeable insiders
• Have inside information on protocols/design, can use
sophisticated tools
• Class III: Funded organizations
• Have information, resources, equipment, and incentives
• Can employ class II attackers in teams
Page 24
Attacker Goals
• To get the crypto keys stored in RAM or ROM
• To learn the secret crypto algorithm used
• To obtain other information stored into the chip (e.g. PINs)
• To modify information on the card (e.g. calling card balance)
Page 25
Methodology
• Obtain access – likely SQL injection
• Obtain data – likely RAM scraper (inter-process
communications hook)
• Aggregate data – create internal shared drive / use vendor
hard-coded credentials (BMC)
• Store data - create password-protected root access remote
file server with additional services
• Exfiltration - FTP or other access to remote file share
(Cuckoo’s Egg)
Page 26
Issuer
Transaction PIN Flow Diagram …
PED or Payment Terminal
Encrypts the PIN using the
PIN Encryption Key already
Injected within the device.
Card Holder Uses
Debit Card
(ATM/POS) &
Enters PIN
Acquirer/Acquirer
Processor
PIN is Decrypted using
the same Key … (And
then Encrypted by the
Acquirer/Working Key
which may be shared with
VisaNet or other
Network.)
PIN is Decrypted using
the Acquirer/Working Key
… And then Encrypted by
the Issuer Working Key
which is shared with the
Card Issuer.
Acquirer/Acquirer
Processor
PIN is Decrypted
using the Issuer
Key … And then
Validates the PIN.
When PIN is
Validated, Final
Transaction
Occurs.
PIN Processing
Page 27
PIN Weaknesses
• 4 digit PIN = 10k+ possible combinations
(good)
• But > 10% of random PINs = 1234. Expanding
a bit, 1234, 0000, and 1111 = 20%
• 26.83% of passwords can be cracked using the
top 20 combinations.
• Birthday years are big. The 1900 PINS--1986,
1960, 1991, and so on--are extremely popular,
with PINs from later in the century used the
most.
• 17.8% = couplets, such as 7878, 8181
• And don’t forget 2580
Page 28
Skimmers
• Other ways to get physical attack
• Collects, stores and transmits
• Magstripe data
• Unencrypted PIN data
• Easy to install but needs physical
access to device
• Can transmit data by Bluetooth,
TCP/IP or store and dump
• New devices look exactly like
regular pin pads, card slots
THE TARGET
ATTACK
Page 30
Target Timeline
DOJ Contacts Target
to inform them of
the breach
Target meets
with DOJ
USSS
Target retains
investigators
More malware removed
from 25 disconnected
terminals
Target notifies payment
processors and card
brands – begins malware
removal
Public breach
notification
Hackers break in
using credentials
from PA HVAC
contractor
Page 31
What We THINK We Know
• Attack included POS Malware
• "Kaptoxa" ("potatoe" - in russian slang), renamed "DUMP
MEMORY GRABBER by Ree[4]"
• "BlackPOS"("ree4") has sold more then 40 builds of
BlackPOS to cybercriminals from Eastern Europe and other
countries, including the owners of underground credit cards
shops such as ".rescator", "Track2.name",
"Privateservices.biz" and many others.
• BlackPOS/Kartoxa versions and mods sold on black market
in source code
Page 32
Chat Transcript
Page 33
Dump Memory Grabber
Page 34
Meet the Author Rinat Shabaev
Page 35
The Weakest Link
• Hackers broke into Target’s network on
Nov. 15, 2013 using network credentials
stolen from Fazio Mechanical Services, a
Sharpsburg, Penn.-based provider of
refrigeration and HVAC systems.
• Why did HVAC contractor have/need
network credentials?
• Why was this linked to CRM/Payment
database?
• What vulnerability let hackers in to
Fazio’s computers?
Page 36
Timeline
• Nov. 15 (Thanksgiving) and Nov. 28 (day before Black Friday),
hackers upload RAM scraping software to small number of POS
terminals at Target.
• Hackers test POS hack to make sure it works.
• Nov. 30 – expand to majority of POS devices.
• Nov. 30 – collect from live transactions.
• Nov. 30 – December 15 – collect and dump –
• FTP from Russia?
• Dump to hacked computer in Miami
• Hacked drop server in Brazil.
Page 37
Anatomy of a Carder Network
• Multiple Parts – Multiple Actors
• Trojan/Malware design
• Access/Hack
• Malware injection – social network?
• Exploitation/harvesting
• Acquisition of data and selling of data
• Conversion of data to
cards/goods/services
• Conversion of goods/services to money
• Distribution of money
Page 38
Curiosities of Target Hack
• Obtained PIN – suggest hack at POS
• BUT – obtained e-mail addresses – suggest at CRM
• Hacked tens of millions – suggest aggregated data
• BUT attack profile suggests individual POS attacked
• Targeted to Target’s software BUT
• Multiple entities compromised
Page 39
Breach Aftermath
• Breach affected two types of data:
• payment card data of 40 million who shopped at Target US Stores from November 27 through December 18
• personal data (name, mailing address, phone number or email address) of 70 million people.
• Hacker stole a vendor’s credentials to access Target system
• Placed malware on POS terminals.
• Designed to capture payment card data from the magnetic strip of credit and debit cards prior to encryption within Target system.
• Malware also captured encrypted PIN data.
Page 40
Target Responses
1. End-to-end review of security of network.
2. Increased fraud detection for Target REDcard customers.
3. Reissuing new Target credit or debit cards to any customer who requests one.
4. Offering one year of free credit monitoring and identity theft protection to anyone who has ever shopped at our U.S. Target stores. Includes free credit report, daily credit monitoring, identity theft insurance and unlimited access to personalized assistance from fraud resolution agent.
5. Told customers to monitor accounts, and that there is zero liability.
6. Adding PIN and Chip for Target REDcards and POS.
7. $5MM for BBB and National Cyber Security Alliance and the National Cyber-Forensics & Training Alliance to advance public education around cybersecurity and the dangers of consumer scams.
8. Launch a retail industry Cybersecurity and Data Privacy Initiative that will be focused on informing public dialogue and enhancing practices related to cybersecurity, improved payment security and consumer privacy.
POLL
THE
AFTERMATH
Page 43
It ‘aint over
• Neiman Marcus, Michaels, and others
• FBI January 17 report: "Recent Cyber Intrusion
Events Directed Toward Retail Firms."
• "We believe POS malware crime will continue
to grow over the near term, despite law
enforcement and security firms' actions to
mitigate it”
• "The accessibility of the malware on
underground forums, the affordability of the
software and the huge potential profits to be
made from retail POS systems in the United
States make this type of financially motivated
cyber crime attractive to a wide range of
actors," the FBI said.
• Malware was being sold online for over a year
for about $2,000
• 1/30 2014 – millions of Yahoo! passwords
stolen
Page 44
Enforcement Actions
• Federal Trade Commission – Section 5 of FTC Act
• Enforce privacy policies and challenge data security
practices that cause substantial consumer injury
• State Attorney General – State Notification Statutes
• Connecticut: “Failure to comply . . . shall constitute an unfair
trade practice . . .”
• Virginia: “The Attorney General may bring an action to
address violations.” Moreover, “nothing in this section shall
limit an individual from recovering direct economic
damages”.
• Litigation in federal or state courts
Page 45
Litigation
Unusual Court Rulings
• Ruiz v. Gap, Inc., 540 F. Supp. 2d 1121 (N.D. Cal. 2008).
• Laptop computer stolen, which contained approximately
800,000 Gap job applications (including name and social
security no.)
• Court denied defendant’s motion for summary judgment and
held that plaintiff “has alleged injury in fact” to establish
standing
• “Increased risk of identity theft” constituted sufficient “injury
in fact”
Page 46
Litigation
Unusual Court Rulings
• Caudle v. Towers, Perrin, Forster & Crosby, 580 F. Supp. 2d
273 (S.D.N.Y. 2008).
• Laptop computer stolen from employer’s pension consultant,
which contained personal information (including name and
social security no.)
• Court granted defendant’s motion for summary judgment
and dismissed claims for negligence and breach of fiduciary
duty
• Court denied motion with respect to claim that plaintiff was
third-party beneficiary between defendant and plaintiff’s
employer
Page 47
Send In the Insurers
• Target self-insured for the first $10 million
• $15 million of excess coverage with Ace Ltd.;
• $15 million layer with American International
Group Inc.;
• $10 million layer with Bermuda-based Axis
Capital Holdings Ltd.;
• Another $10 million coverage layer with AIG;
• Quota share for the next $40 million of cyber
insurance divided among four unidentified
insurers.
• Executive liability = $10 million self-insured
retention; then $25 million in primary D&O
coverage with AIG; then $15 million of coverage
with Ace; and then $15 million of coverage with
the Hartford, Conn.-based based Travelers Cos.
Inc.
Target could be
facing losses of
up to $420 million
QUESTIONS
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages for
privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and
very well designed.”
PONEMON INSTITUTE
Mark D. Rasch, Esq.
Mark.D.Rasch@saic.com
(301) 547-6925
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
top related