Hacking Away at the Bottom Line

Hilary Tuttle


March 1, 2014


In a widespread data breach between Nov. 27 and mid-December, hackers acquired the personal information of between 70 million and 110 million Target customers. At the low end, this accounts for one-third of adult Americans.

The card data was collected from Target’s point-of-sale (POS) systems, utilizing malware to save names, credit card numbers, expiration dates, security codes from the backs of cards and encrypted PINs when customers swiped at in-store registers. Phone numbers, email accounts and physical addresses were accessed through a back-end database. Within two weeks, the hackers had taken 11 gigabytes of data—less than the amount of memory on even the cheapest iPhone, but enough to include 40 million payment card records and 70 million records containing customers’ information.

Stolen information began flooding the market almost immediately. On Dec. 11, fraud-tracking company EasySolutions noticed that black market websites like Rescator had a ten- to twentyfold increase in the number of high-value stolen cards from nearly every bank and credit union. When cybersecurity blogger Brian Krebs began inquiring about the surge, he learned the cards had one thing in common: recent use at a Target store. Prompted by his repeated calls, the company came forward and announced the second-largest retail data breach in history.

In a report from Jan. 17, the FBI identified about 20 similar cyberattacks and warned retailers of a growing threat to sales terminals. These early versions may have been practice runs, though the technology itself has been around for several years. Investigators think the same cybercriminals—“a loose band of hackers from Eastern Europe”—were also responsible for an attack on Neiman Marcus immediately before Target’s system was breached.

From July 16 to Oct. 30, malware on POS terminals in Neiman Marcus stores exposed information for 1.1 million debit and credit cards. Approximately 2,400 cards used at the retailer’s stores and its Last Call outlets were later used fraudulently, Visa, MasterCard and Discover reported. The attack was not fully contained until Jan. 12. The stolen data is slightly less significant than that from Target, however, as Neiman Marcus does not collect PINs in its stores.

“What this highlights is that the point-of-sale systems customers use to swipe their credit cards are connected to the corporate network like everything else,” Anup Ghosh, founder of security software company Invincea, told the New York Times. “There is lots of opportunity to compromise individuals through point-of-sale machines and then pivot to the corporate network.”

RAM Scraping
When a customer swipes a card at a cash register, there is a split second when credit card data is decrypted before the transaction can be authorized. For this brief moment, the unencrypted data is stored locally, and RAM-scraping malware takes advantage by stealing the data from the computer’s live memory. In Target’s case, the code instructed registers to send customer data once every hour to an infected server, then immediately deleted the local storage file to avoid detection, according to iSight Partners, a security firm investigating the attack  with the Secret Service.

The memory-scraper used by the hackers—called “Kaptoxa” after a Russian word in its code—was more advanced than most. To further avoid detection, the criminals made use of multiple servers and an element that may surprise fans of most fast-paced heist films: extra time. After gathering the data on an infected internal server, they waited six days to move it to an infected web server, then to a server in Russia that acted as a proxy to mask the criminals’ actual location, the New York Times reported.

While there have been instances where criminals physically implanted malicious code in the point-of-sale systems on the factory floor, it is usually installed remotely after hackers manage to break into the system through other means. At the end of January, investigators discovered that hackers got into the system by utilizing network credentials stolen from third-party vendor Fazio Mechanical Services, a refrigeration, heating and air conditioning subcontractor that had worked at several Target locations. The compromised system and the payment system do not appear to be connected, but the hackers were somehow able to gain a foothold from which they could access POS devices.

Checking the Receipt
The breach carries a massive price tag for both Target and the credit card industry. Total damage to banks and retailers could be over $18 billion, and consumers could be liable for more than $4 billion in uncovered losses and other costs, Javelin Strategy and Research reported.

Hackers could not have picked a worse time to undermine consumer confidence in the nation’s second largest big box store. Because of the holiday season, the fourth quarter accounts for 20% to 40% of a retailer’s annual sales. The chain started off with stronger-than-expected sales, but the breach quickly took a toll on the bottom line. Despite attempts to entice customers back with pre-Christmas discounts and PR assurances, Target reported a post-breach decline in sales of up to 6% compared to last season. The company’s stock price has dropped almost $10 since the attack was made public—a 15% decline in value.

Credit card companies also face huge losses. There has been no wholesale reissue of credit cards as they are harder to defraud, but millions identified as vulnerable have been replaced. The Consumer Bankers Association estimates that it costs an average of $10 for banks to replace a card—contrary to the $4 to $5 figure often cited. As a result, U.S. banks have spent more than $153 million so far replacing 15.3 million debit and credit cards, and the numbers are still growing. Further, there is considerable expense to provide customer service required for banks to help anxious customers, particularly with debit cards.

To help mitigate the risk of fraud losses, card companies restricted some use among customers who might be impacted. On Dec. 21, Chase limited the use of debit cards to $100 per day in checking account withdrawals and $300 per day in purchases. Consumers’ shaken faith in the security at stores and reduced access to funds may have combined to further decrease overall spending during a critical sales period.

“This will impact many Target business partners—Visa, MasterCard, and the host of banks and credit agencies that now have to keep an eye on the 110 million customers now vulnerable to identity theft,” Hemu Nigam, founder of security and privacy consulting firm SSP Blue, told the New York Times. “It affects more than Target customers...It affects the entire economic infrastructure.”

Securing a Future
In the wake of the breach, retailers and consumers alike have begun asking how to prevent the risk of such massive data theft. While the United States accounts for 27% of worldwide credit card transactions, it is responsible for 47% of card fraud, according to The Nilson Report. Many experts suggest EMV technology may finally be the answer to increased security for American cards.

Already common in Europe, EMV technology—named for its founders, Eurocard, MasterCard and Visa—utilizes embedded chips that, unlike magnetic strips, make it nearly impossible to counterfeit cards. The chips authenticate a card as a legitimate bank card, contain the data usually stored in a magnetic strip, and have a certificate so that each transaction is digitally signed. Even if a thief managed to obtain the card data, he could not generate the code needed for a transaction without the certificate.

In Europe, 81% of cards have EMV chips, and countries that have adopted the technology saw sharp declines in credit card fraud. In England, the amount of fraud per transaction has dropped 57% since 2002, while it has risen almost 70% in the United States over the same period, according to consulting firm Celent.

Major card companies have expressed broad support for EMV, going so far as to tell American retailers that they need to have compatible hardware by the end of 2015. Yet retailers and some card issuers are resistant. The cost of adopting EMV has been estimated at about $15 billion, leaving some to ask if the technology may have a greater price tag than the fraud itself.
But the normal reissuing cycle for cards and acceptance terminals already happens every few years, drastically aiding the transition. “Phasing out the old technology and issuing new cards and terminals with EMV on the existing reissuing cycle would cost about $5 billion to $8 billion,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “The only extra cost is a supplemental amount to manufacture the cards themselves and the terminals to be compatible.” According to Vanderhoof, the industry is already two years into the integration effort and three to five years should be a reasonable timeframe to complete the shift.

“The biggest threat to consumers is when cards are counterfeited, and this technology should dramatically change that risk,” Vanderhoof said. “Beyond the financial risk of fraud, customers are stressed and inconvenienced by the possibility that, if they don’t scour their statements regularly, they may be victimized. EMV would improve the consumer experience, and the risk.”

EMV alone may not be enough, however. Chips drastically reduce the risk in card-present transactions, but do not offer much extra help for e-commerce or other purchases that do not require a card in person. Vanderhoof noted that also adding tokenization, which creates a new code for each transaction, and risk-scoring based on a customer’s IP address and purchasing patterns, may help merchants to mitigate fraud risk without losing out on sales.

Hilary Tuttle is managing editor of Risk Management.