the target breach - follow the money eu

The Target Breach – Follow The Money

Agenda

• Introductions• How The Money Flows• The Fraud Cycle: Who wins? Who Loses? • The Target Attack• The Aftermath

Introductions: Today’s Speakers

• Ted Julian, Chief Marketing Officer, Co3 Systems

• Mark D. Rasch, Esq., Chief Privacy Officer, SAIC

A Complete System for IR Management

PrepareImprove Organizational Readiness• Appoint team members• Fine tune response

SOPs• Link in legacy

applications• Run simulations (fire

drills, table tops)

MitigateDocument Results& Improve Performance• Generate reports for

management, auditors,and authorities

• Conduct post-mortem• Update SOPs• Track evidence• Evaluate historical performance• Educate the organization

AssessIdentify and Evaluate Incidents• Assign appropriate team

members• Evaluate precursors and

indicators• Track incidents, maintain logbook• Automatically prioritize activities

based on criticality• Log evidence• Generate assessment

ManageContain, Eradicate and Recover• Generate real-time IR plan• Coordinate team response• Choose appropriate containment

strategy• Isolate and remediate cause• Instruct evidence gathering and

handling

THE PROCESSMAKING MONEY MOVE

Intro

• When a cardholder uses a credit card to purchase merchandise, the transaction moves through a process that involves authorization, clearing and settlement.

• Each step of the process involves an exchange of transaction data and money that must be settled and balanced.

• This process ends when the cardholder pays for the merchandise listed on his/her monthly statement.

Dramatis Persona

• Cardholder – The consumer who owns the card.

• Merchant – An entity that contracts with an Acquiring Processor to originate transactions.

• Acquiring Processor – An entity that communicates to Visa to gain approvals to complete cardholder transactions. Processor is an acquiring processor.

• Visa - The largest association member. Visa is the largest payment system, enabling 14,000 financial institutions to process over $1 trillion in annual transaction volume.

• Issuing Bank – The financial institution who issues the credit card. For example, CapitalOne, Chase, Wells Fargo.

Other Parties (who can I blame?)

• Software vendor – creates and/or maintains general software• CRM vendors and contractors – hired by merchant to maintain

Customer Relations Management (CRM) data which feeds into POS terminal

• POS Terminal Vendor – supplier of POS terminals, related software, maintenance and support

• PCI/DSS-PA/DSS Assessor – assesses and certifies compliance with PCI DSS standards

• IT Security Staff/Consultants – conducted pen tests, other assessments

• IT Audit (internal/external)• Third party vendors with access to Target network (HVAC)• Don’t forget insurers!

The Holy Grail

• Hacker wants to get the unencrypted, plain text copies of the magstripe, credit card data

• With PIN for Debit Cards• With CVV’s• With Personal Information• How to do it?

• Steal aggregated data (stored)• Aggregate stolen data.• Combination

• Data is unencrypted only briefly

THE FRAUD CYCLE

WINNERS AND LOSERS

Fraud Flow

$Issuer issues cc to consumer – not secure because of cost

Consumer fails to protect cc because of zero liability

Consumer uses cc at Target store

Consumer swipes card at POS

Hacker steal number and sells

Hackers post stolen credit cards on multiple “carder” forums around the world. The card numbers are purchased and sold within minutes/hours of their having been stolen

Carders use machines to create new “bogus” credit cards

Carders distribute these bogus cards worldwide

Carder “mules” use the bogus cards at ATM’s or stores worldwide

Mules purchase goods (or services) online or offline

The purloined products are sold on online auction sites

Some of the proceeds used to finance new hacks

Losers

• Issuer – reissue millions of card, call centers 24/7 at Christmas

• Consumer – loss of confidence, anxiety, monitoring, inconvenience – possible $50 loss

• Target – massive dollar loss, cost of investigation, PCI DSS “fines,” AG investigations, loss of reputation, loss of confidence

• Target Stockholders – loss of share price (short and long term)

• POS Vendor/Processor – Possible liability (but look at contracts)

• Third party merchants – out sales, cardmember “present” vs. cardmember “not present” transactions.

• Manufacturers – lost sales because of fraudulent purchases• Insurers – indemnify each of these parties• Web/E-commerce merchants – fraudulent sales• PCI DSS Certification entity

SEC Disclosure

• Target stock price (6 month)

• TJX (5 year)

• Heartland Payment (5 year)

Market Reaction?

• May 19, 2014 • Bloomberg Poll

• 7 percent of shoppers plan to reduce spending Target next year

• 85 percent expect to shop at Target about the same amount.

• 7 percent will shop more• 1 percent offered no opinion.• Star Tribune (MN) found similar results in Minnesota poll.

Target Class Actions

More than 90 lawsuits have been filed against Target. Consolidated class action litigation. Negligence and breach of contract (mostly)

Trustmark/Trustwave Litigation

• March/April 2014• Trustmark National Bank (NY) and Green Bank NA

(Houston) were card issuers to consumers• Some of their customers’ cards were used at Target, and

thereafter used fraudulently. Had to be reissued by Trustmark and Green.

• Trustmark and Green sued Target AND Target’s PCI assessor/monitor Trustwave

• Possible third party liability for assessors?• Case voluntarily dismissed so no precedent.

Winners

• Verizon business• FBI/USSS• Experian• Data breach notification companies• WalMart or competitors• Hackers!• Next Gen Payment System vendors• Security Vendors/Consultants• Forensic investigators• Brian Krebs• Cyber-insurance sellers• Lawyers

Finger Pointing – Target vs. Issuers

• Target – it’s credit card issuer’s fault for having insecure “magstripe” credit cards (to save infrastructure costs). Target tried to push “Chip & PIN” cards but had resistance from banks. Upgrade Target alone to Chip & PIN = $100 million.

• Banks – it’s merchant’s fault because of faulty security and trust models – PCI DSS violations.

• In 2012 banks bore 63% of fraudulent losses; Merchants 37%*

• Bank losses from counterfeit cards; Merchant loses from (CNP) transactions on the Web, at a call center or through mail order.

• BUT – goal is NOT to prevent/reduce fraud! Goal is to enhance consumer confidence.

* (Source: Nilson Report, August 2013)

POLL

How did Target handle their breach response?

THE ATTACKWillie Sutton was right..

PIN Weaknesses

• 4 digit PIN = 10k+ possible combinations (good)

• But > 10% of random PINs = 1234. Expanding a bit, 1234, 0000, and 1111 = 20%

• 26.83% of passwords can be cracked using the top 20 combinations.

• Birthday years are big. The 1900 PINS--1986, 1960, 1991, and so on--are extremely popular, with PINs from later in the century used the most.

• 17.8% = couplets, such as 7878, 8181• And don’t forget 2580

Skimmers

• Other ways to get physical attack• Collects, stores and transmits

• Magstripe data• Unencrypted PIN data

• Easy to install but needs physical access to device

• Can transmit data by Bluetooth, TCP/IP or store and dump

• New devices look exactly like regular pin pads, card slots

THE TARGET ATTACK

TWAS SOME WEEKS BEFORE CHRISTMAS…

Target Timeline

DOJ Contacts Target to inform

them of the breach

Target meets with DOJ USSS

Target retains investigators

More malware removed from 25

disconnected terminals

Target notifies payment processors and card brands – begins malware

removal

Public breach notification

Hackers break in using credentials from PA HVAC

contractor

More Timeline (Bloomberg)

FireEye (now includes Mandiant)

• Target used FireEye monitoring• Malware detection tool• Target team monitoring from Bangalore reporting to Corp

HQ in Minneapolis. • Saturday, Nov. 30 - Hackers infiltrated Target network but

not yet removed data.• Uploaded exfiltration malware to move stolen credit card

numbers—first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia

• FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then …

• NOTHING HAPPENED

What We THINK We Know – The Vulnerability

• Attack included POS Malware

• "Kaptoxa" ("potatoe" - in russian slang), renamed "DUMP MEMORY GRABBER by Ree[4]"

• "BlackPOS"("ree4") has sold more then 40 builds of BlackPOS to cybercriminals from Eastern Europe and other countries, including the owners of underground credit cards shops such as ".rescator", "Track2.name", "Privateservices.biz" and many others.

• BlackPOS/Kartoxa versions and mods sold on black market in source code

The Weakest Link

• Hackers broke into Target’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.• Why did HVAC contractor have/need

network credentials?• Why was this linked to CRM/Payment

database?• What vulnerability let hackers in to

Fazio’s computers?

Timeline

• Nov. 15 (Thanksgiving) and Nov. 28 (day before Black Friday), hackers upload RAM scraping software to small number of POS terminals at Target.

• Hackers test POS hack to make sure it works.• Nov. 30 – expand to majority of POS devices.• Nov. 30 – collect from live transactions.• Nov. 30 – December 15 – collect and dump –

• FTP from Russia?• Dump to hacked computer in Miami• Hacked drop server in Brazil.

Anatomy of a Carder Network

• Multiple Parts – Multiple Actors• Trojan/Malware design• Access/Hack• Malware injection – social network?• Exploitation/harvesting• Acquisition of data and selling of data• Conversion of data to

cards/goods/services• Conversion of goods/services to money• Distribution of money

Curiosities of Target Hack

• Obtained PIN – suggest hack at POS

• BUT – obtained e-mail addresses – suggest at CRM

• Hacked tens of millions – suggest aggregated data

• BUT attack profile suggests individual POS attacked

• Targeted to Target’s software BUT

• Multiple entities compromised

Breach Aftermath

• Breach affected two types of data: • payment card data of 40 million who shopped at Target US

Stores from November 27 through December 18• personal data (name, mailing address, phone number or

email address) of 70 million people. • Hacker stole a vendor’s credentials to access Target

system • Placed malware on POS terminals. • Designed to capture payment card data from the magnetic

strip of credit and debit cards prior to encryption within Target system.

• Malware also captured encrypted PIN data.

Breach Aftermath

• Target CEO Gregg Steinhafel resigned. No Bonus or Short-Term Cash Incentive

• Target CIO Beth Jacob (CIO since 2008) resigned. • Stock Price Down• Consumer Confidence Down• More than 90 lawsuits have been filed against Target• Target spent $61 million through Feb. 1 responding to the

breach• Target’s profit for the holiday shopping period fell 46 percent

from the same quarter the year before; the number of transactions suffered its biggest decline since the retailer began reporting the statistic in 2008.

RILA Information Sharing

• Retailers launched the Retail Cyber Intelligence Sharing Center

• American Eagle Outfitters, Gap Inc., J. C. Penney Co., Lowe’s, Nike, Safeway, Target, VF Corp. and Walgreen Co. WAG +3.04% are participating in the initiative, according to Retail Industry Leaders Association.

• No word on whether Wal-Mart will participate

Target Security

• SOC manager, Brian Bobo, departed the company in October, leaving a crucial post vacant.

• Alerts sent from FireEye, not responded to;• Symantec Endpoint Protection, identified

suspicious behavior over several days around Thanksgiving—pointing to the same server identified by the FireEye alert

• Malware disguised with name “BladeLogic”

Malware Passwords

• Crysis1089. Xbox gamer’s name and October 1989 -- Ukrainian independence day

• Rescator. Pirate in 1967 French film Indomptable Angélique,

• Ukrainian trafficker in stolen credit card numbers. • Cheapdumps.org• Lampeduza.la

• Names associated with Laos, Somalia, and the former Soviet Union but

• Operating in Odessa.

Rescator.so

• Sells exploit code• Sells stolen cards (bulk discount in thousands). • Filter by

• Issuing bank• Type of card (ATM, American Express Blue, Visa, etc.).• Expiration date, • Last four digits,• City • Cost - $6 (prepaid gift card) to $200 (American Express Platinum)

• Accepts Bitcoin and Western Union - Return policy!• March 2014 – Rescator hacked, logins, passwords, and

payment information of carders stolen!

Exfiltration

• Malware designed to send data automatically to three different U.S. staging points,

• Malware had user names and passwords for the thieves’ staging servers (Ashburn, Va., Provo, Utah, and Los Angeles) embedded in the code

• Exfil happened only between the hours of 10 a.m. and 6 p.m. Central Standard Time. (regular working-hours traffic).

• 11 gigabytes of data from staging points to Moscow-based hosting service called vpsville.ru.

Target Responses

1. End-to-end review of security of network.

2. Increased fraud detection for Target REDcard customers.

3. Reissuing new Target credit or debit cards to any customer who requests one.

4. Offering one year of free credit monitoring and identity theft protection to anyone who has ever shopped at our U.S. Target stores. Includes free credit report, daily credit monitoring, identity theft insurance and unlimited access to personalized assistance from fraud resolution agent.

5. Told customers to monitor accounts, and that there is zero liability.

6. Adding PIN and Chip for Target REDcards and POS.

7. $5MM for BBB and National Cyber Security Alliance and the National Cyber-Forensics & Training Alliance to advance public education around cybersecurity and the dangers of consumer scams.

8. Launch a retail industry Cybersecurity and Data Privacy Initiative that will be focused on informing public dialogue and enhancing practices related to cybersecurity, improved payment security and consumer privacy.

POLLWhat could Target have done better?

THE AFTERMATH

SEND IN THE LAWYERS…

Chip and Pin?

• Hack-resistant chip on card• Machine readable – encrypted• Requires PIN to activate• More secure than magstripe?• Chip must be read/PIN must be

entered• Harder to recreate encrypted

chip.• But can still do online

purchases with stolen card• Default is to magstripe

EVM (Europay, Mastercard, VISA) Chip Adoption

Enforcement Actions

• Federal Trade Commission – Section 5 of FTC Act• Enforce privacy policies and challenge data security

practices that cause substantial consumer injury• State Attorney General – State Notification Statutes• Connecticut: “Failure to comply . . . shall constitute an unfair

trade practice . . .”• Virginia: “The Attorney General may bring an action to

address violations.” Moreover, “nothing in this section shall limit an individual from recovering direct economic damages”.

• Litigation in federal or state courts

QUESTIONS

Next Up

• Our next EU webinar• Details coming soon

• FIRST Annual Conference• June 22-27, Boston, MA

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“Co3…defines what software packages for privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and very well designed.”

PONEMON INSTITUTE

Mark D. Rasch, [email protected](301) 547-6925

“One of the hottest products at RSA…”

NETWORK WORLD – FEBRUARY 2013

mailto:[email protected]

the target breach - follow the money eu

Business