the target breach – follow the money

The Target Breach –

Follow The Money

Agenda

• Introductions

• How The Money Flows

• The Fraud Cycle: Who wins? Who Loses?

• The Target Attack

• The Aftermath

Introductions: Today’s Speakers

• Mark D. Rasch, Esq., Chief Privacy Officer, SAIC

• Ted Julian, Chief Marketing Officer, Co3 Systems

The complete process – based on E.R. standards

PREPARE

Improve Organizational

Readiness

• Appoint team members

• Fine-tune response SOPs

• Escalate from existing systems

• Run simulations (firedrills / table

tops)

MITIGATE

Document Results &

Improve Performance

• Generate reports for management,

auditors, and authorities

• Conduct post-mortem

• Update SOPs

• Track evidence

• Evaluate historical performance

• Educate the organization

ASSESS

Identify and Evaluate

Incidents

• Assign appropriate team members

• Evaluate precursors and indicators

• Correlate threat intelligence

• Track incidents, maintain logbook

• Prioritize activities based on criticality

• Generate assessment summaries

MANAGE

Contain, Eradicate, and

Recover

• Generate real-time IR plan

• Coordinate team response

• Choose appropriate containment

strategy

• Isolate and remediate cause

• Instruct evidence gathering and

handling

• Log evidence

THE PROCESS

Intro

• When a cardholder uses a credit card to

purchase merchandise, the transaction

moves through a process that involves

authorization, clearing and settlement.

• Each step of the process involves an

exchange of transaction data and money

that must be settled and balanced.

• This process ends when the cardholder

pays for the merchandise listed on his/her

monthly statement.

Dramatis Persona

• Cardholder – The consumer who owns the card.

• Merchant – An entity that contracts with an Acquiring Processor to

originate transactions.

• Acquiring Processor – An entity that communicates to Visa to gain

approvals to complete cardholder transactions.

Processor is an acquiring processor.

• Visa - The largest association member. Visa is the largest payment

system, enabling 14,000 financial institutions to process over $1

trillion in annual transaction volume.

• Issuing Bank – The financial institution who issues the credit card.

For example, CapitalOne, Chase, Wells Fargo.

Other Parties (who can I blame?)

• Software vendor – creates and/or maintains general software

• CRM vendors and contractors – hired by merchant to maintain

Customer Relations Management (CRM) data which feeds into

POS terminal

• POS Terminal Vendor – supplier of POS terminals, related

software, maintenance and support

• PCI/DSS-PA/DSS Assessor – assesses and certifies compliance

with PCI DSS standards

• IT Security Staff/Consultants – conducted pen tests, other

assessments

• IT Audit (internal/external)

• Third party vendors with access to Target network (HVAC)

• Don’t forget insurers!

The Credit Card Transaction Process – Where does

the data go?

• Step 1 - Authorization

Cardholder makes a purchase using a credit card. The merchant must obtain authorization for

the purchase from the bank who issued the card.

• Step 2 - Clearing

If the transaction is approved, the next step is clearing. In this phase, the Issuing Bank obtains

basic transaction data from the merchant such as the amount, date and location of the

purchase. This data is then sent to the credit card issuer for posting to the monthly credit card

statement.

• Step 3 - Settlement

In the final step, settlement, the funds are collected from the Issuing Bank and transmitted to

the merchant. When a consumer uses a credit card, the merchant does not receive payment

at the time of purchase. The bank credits the merchant’s bank account. The bank then sends

payment to the processor who sends the payment to Visa. The cardholder receives a monthly

statement and settles with Visa for purchases made using the credit card.

2/6/2014

The Four Party Model (Debit Card)

Cardholder Merchant

Issuer Acquirer

Tra

ns

ac

tio

n

Fe

es

Co

nve

nie

nc

e

& p

aym

en

t

instr

um

en

t

Card Payment Facility

Purchase goods / services

using card payment

instrument

Se

ttlem

en

t &

Pa

ym

en

t

Se

rvic

es

Me

rch

an

t

Serv

ice C

harg

e

Settlement & Risk

Bearing

Interchange Fee

THE FRAUD

CYCLE

Fraud Flow

$ Issuer issues cc to

consumer – not secure

because of cost

Consumer fails to

protect cc because of

zero liability

Consumer uses cc at

Target store

Consumer swipes

card at POS

Hacker steal

number and

sells

Hackers post stolen

credit cards on

multiple “carder”

forums around the

world. The card

numbers are

purchased and sold

within minutes/hours

of their having been

stolen

Carders use machines to

create new “bogus” credit

cards Carders distribute these

bogus cards worldwide

Carder “mules” use the

bogus cards at ATM’s or

stores worldwide

Mules purchase goods (or

services) online or offline

The purloined

products are sold

on online auction

sites

Some of the proceeds

used to finance new

hacks

Losers

• Issuer – reissue millions of card, call centers 24/7 at

Christmas

• Consumer – loss of confidence, anxiety, monitoring,

inconvenience – possible $50 loss

• Target – massive dollar loss, cost of investigation, PCI DSS

“fines,” AG investigations, loss of reputation, loss of

confidence

• Target Stockholders – loss of share price (short and long

term)

• POS Vendor/Processor – Possible liability (but look at

contracts)

• Third party merchants – out sales, cardmember “present” vs.

cardmember “not present” transactions.

• Manufacturers – lost sales because of fraudulent purchases

• Insurers – indemnify each of these parties

• Web/E-commerce merchants – fraudulent sales

• PCI DSS Certification entity

SEC Disclosure

• Target stock price (6 month)

• TJX (5 year)

• Heartland Payment (5 year)

Item 1A. Risk Factors

There have been no material changes to the risk factors

described in our Annual Report on Form 10-K for the fiscal year

ended February 2, 2013.

Target Class Actions

SEC Disclosure

Friendly Letters From Congress

Trade Organization Response

Winners

• Verizon business

• FBI/USSS

• Experian

• Data breach notification companies

• WalMart or competitors

• Hackers!

• Next Gen Payment System vendors

• Security Vendors/Consultants

• Forensic investigators

• Brian Krebs

• Cyber-insurance sellers

• Lawyers

Finger Pointing – Target vs. Issuers

• Target – it’s credit card issuer’s fault for having

insecure “magstripe” credit cards (to save

infrastructure costs). Target tried to push “Chip &

PIN” cards but had resistance from banks.

Upgrade Target alone to Chip & PIN = $100 million.

• Banks – it’s merchant’s fault because of faulty

security and trust models – PCI DSS violations.

• In 2012 banks bore 63% of fraudulent losses;

Merchants 37%*

• Bank losses from counterfeit cards; Merchant loses

from (CNP) transactions on the Web, at a call

center or through mail order.

• BUT – goal is NOT to prevent/reduce fraud! Goal

is to enhance consumer confidence.

* (Source: Nilson Report, August 2013)

THE ATTACK

Threat model

• Attacker types

• Class I: Clever outsiders

• Intelligent, but lack information, exploit known attack

• Class II: Knowledgeable insiders

• Have inside information on protocols/design, can use

sophisticated tools

• Class III: Funded organizations

• Have information, resources, equipment, and incentives

• Can employ class II attackers in teams

Attacker Goals

• To get the crypto keys stored in RAM or ROM

• To learn the secret crypto algorithm used

• To obtain other information stored into the chip (e.g. PINs)

• To modify information on the card (e.g. calling card balance)

Methodology

• Obtain access – likely SQL injection

• Obtain data – likely RAM scraper (inter-process

communications hook)

• Aggregate data – create internal shared drive / use vendor

hard-coded credentials (BMC)

• Store data - create password-protected root access remote

file server with additional services

• Exfiltration - FTP or other access to remote file share

(Cuckoo’s Egg)

Issuer

Transaction PIN Flow Diagram …

PED or Payment Terminal

Encrypts the PIN using the

PIN Encryption Key already

Injected within the device.

Card Holder Uses

Debit Card

(ATM/POS) &

Enters PIN

Acquirer/Acquirer

Processor

PIN is Decrypted using

the same Key … (And

then Encrypted by the

Acquirer/Working Key

which may be shared with

VisaNet or other

Network.)

PIN is Decrypted using

the Acquirer/Working Key

… And then Encrypted by

the Issuer Working Key

which is shared with the

Card Issuer.

Acquirer/Acquirer

Processor

PIN is Decrypted

using the Issuer

Key … And then

Validates the PIN.

When PIN is

Validated, Final

Transaction

Occurs.

PIN Processing

PIN Weaknesses

• 4 digit PIN = 10k+ possible combinations

(good)

• But > 10% of random PINs = 1234. Expanding

a bit, 1234, 0000, and 1111 = 20%

• 26.83% of passwords can be cracked using the

top 20 combinations.

• Birthday years are big. The 1900 PINS--1986,

1960, 1991, and so on--are extremely popular,

with PINs from later in the century used the

most.

• 17.8% = couplets, such as 7878, 8181

• And don’t forget 2580

Skimmers

• Other ways to get physical attack

• Collects, stores and transmits

• Magstripe data

• Unencrypted PIN data

• Easy to install but needs physical

access to device

• Can transmit data by Bluetooth,

TCP/IP or store and dump

• New devices look exactly like

regular pin pads, card slots

THE TARGET

ATTACK

Target Timeline

DOJ Contacts Target

to inform them of

the breach

Target meets

with DOJ

USSS

Target retains

investigators

More malware removed

from 25 disconnected

terminals

Target notifies payment

processors and card

brands – begins malware

removal

Public breach

notification

Hackers break in

using credentials

from PA HVAC

contractor

What We THINK We Know

• Attack included POS Malware

• "Kaptoxa" ("potatoe" - in russian slang), renamed "DUMP

MEMORY GRABBER by Ree[4]"

• "BlackPOS"("ree4") has sold more then 40 builds of

BlackPOS to cybercriminals from Eastern Europe and other

countries, including the owners of underground credit cards

shops such as ".rescator", "Track2.name",

"Privateservices.biz" and many others.

• BlackPOS/Kartoxa versions and mods sold on black market

in source code

Chat Transcript

Dump Memory Grabber

Meet the Author Rinat Shabaev

The Weakest Link

• Hackers broke into Target’s network on

Nov. 15, 2013 using network credentials

stolen from Fazio Mechanical Services, a

Sharpsburg, Penn.-based provider of

refrigeration and HVAC systems.

• Why did HVAC contractor have/need

network credentials?

• Why was this linked to CRM/Payment

database?

• What vulnerability let hackers in to

Fazio’s computers?

Timeline

• Nov. 15 (Thanksgiving) and Nov. 28 (day before Black Friday),

hackers upload RAM scraping software to small number of POS

terminals at Target.

• Hackers test POS hack to make sure it works.

• Nov. 30 – expand to majority of POS devices.

• Nov. 30 – collect from live transactions.

• Nov. 30 – December 15 – collect and dump –

• FTP from Russia?

• Dump to hacked computer in Miami

• Hacked drop server in Brazil.

Anatomy of a Carder Network

• Multiple Parts – Multiple Actors

• Trojan/Malware design

• Access/Hack

• Malware injection – social network?

• Exploitation/harvesting

• Acquisition of data and selling of data

• Conversion of data to

cards/goods/services

• Conversion of goods/services to money

• Distribution of money

Curiosities of Target Hack

• Obtained PIN – suggest hack at POS

• BUT – obtained e-mail addresses – suggest at CRM

• Hacked tens of millions – suggest aggregated data

• BUT attack profile suggests individual POS attacked

• Targeted to Target’s software BUT

• Multiple entities compromised

Breach Aftermath

• Breach affected two types of data:

• payment card data of 40 million who shopped at Target US Stores from November 27 through December 18

• personal data (name, mailing address, phone number or email address) of 70 million people.

• Hacker stole a vendor’s credentials to access Target system

• Placed malware on POS terminals.

• Designed to capture payment card data from the magnetic strip of credit and debit cards prior to encryption within Target system.

• Malware also captured encrypted PIN data.

Target Responses

1. End-to-end review of security of network.

2. Increased fraud detection for Target REDcard customers.

3. Reissuing new Target credit or debit cards to any customer who requests one.

4. Offering one year of free credit monitoring and identity theft protection to anyone who has ever shopped at our U.S. Target stores. Includes free credit report, daily credit monitoring, identity theft insurance and unlimited access to personalized assistance from fraud resolution agent.

5. Told customers to monitor accounts, and that there is zero liability.

6. Adding PIN and Chip for Target REDcards and POS.

7. $5MM for BBB and National Cyber Security Alliance and the National Cyber-Forensics & Training Alliance to advance public education around cybersecurity and the dangers of consumer scams.

8. Launch a retail industry Cybersecurity and Data Privacy Initiative that will be focused on informing public dialogue and enhancing practices related to cybersecurity, improved payment security and consumer privacy.

THE

AFTERMATH

It ‘aint over

• Neiman Marcus, Michaels, and others

• FBI January 17 report: "Recent Cyber Intrusion

Events Directed Toward Retail Firms."

• "We believe POS malware crime will continue

to grow over the near term, despite law

enforcement and security firms' actions to

mitigate it”

• "The accessibility of the malware on

underground forums, the affordability of the

software and the huge potential profits to be

made from retail POS systems in the United

States make this type of financially motivated

cyber crime attractive to a wide range of

actors," the FBI said.

• Malware was being sold online for over a year

for about $2,000

• 1/30 2014 – millions of Yahoo! passwords

stolen

Enforcement Actions

• Federal Trade Commission – Section 5 of FTC Act

• Enforce privacy policies and challenge data security

practices that cause substantial consumer injury

• State Attorney General – State Notification Statutes

• Connecticut: “Failure to comply . . . shall constitute an unfair

trade practice . . .”

• Virginia: “The Attorney General may bring an action to

address violations.” Moreover, “nothing in this section shall

limit an individual from recovering direct economic

damages”.

• Litigation in federal or state courts

Litigation

Unusual Court Rulings

• Ruiz v. Gap, Inc., 540 F. Supp. 2d 1121 (N.D. Cal. 2008).

• Laptop computer stolen, which contained approximately

800,000 Gap job applications (including name and social

security no.)

• Court denied defendant’s motion for summary judgment and

held that plaintiff “has alleged injury in fact” to establish

standing

• “Increased risk of identity theft” constituted sufficient “injury

in fact”

Litigation

Unusual Court Rulings

• Caudle v. Towers, Perrin, Forster & Crosby, 580 F. Supp. 2d

273 (S.D.N.Y. 2008).

• Laptop computer stolen from employer’s pension consultant,

which contained personal information (including name and

social security no.)

• Court granted defendant’s motion for summary judgment

and dismissed claims for negligence and breach of fiduciary

duty

• Court denied motion with respect to claim that plaintiff was

third-party beneficiary between defendant and plaintiff’s

employer

Send In the Insurers

• Target self-insured for the first $10 million

• $15 million of excess coverage with Ace Ltd.;

• $15 million layer with American International

Group Inc.;

• $10 million layer with Bermuda-based Axis

Capital Holdings Ltd.;

• Another $10 million coverage layer with AIG;

• Quota share for the next $40 million of cyber

insurance divided among four unidentified

insurers.

• Executive liability = $10 million self-insured

retention; then $25 million in primary D&O

coverage with AIG; then $15 million of coverage

with Ace; and then $15 million of coverage with

the Hartford, Conn.-based based Travelers Cos.

Inc.

Target could be

facing losses of

up to $420 million

QUESTIONS

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a

nightmare scenario as painless as possible,

making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“Co3…defines what software packages for

privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and

very well designed.”

PONEMON INSTITUTE

Mark D. Rasch, Esq.

[email protected]

(301) 547-6925

“One of the hottest products at RSA…”

NETWORK WORLD – FEBRUARY 2013

mailto:[email protected]

the target breach – follow the money

Technology