Cards Stolen in Target Breach Flood Underground Markets

A security researcher, writing in KrebsonSecurity.com, reported that payment card information stolen from a recent breach at Target stores has begun appearing for sale on underweb marketplaces for between $20 and $100 per card.

Prior to breaking the story of the Target breach Dec. 18, Brian Krebs spoke with a fraud analyst at a major bank who said his team had independently confirmed that Target had been breached after buying a huge chunk of bank card accounts from a well-known card shop, an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards.

There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality dumps, data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of victim bank account.

In this instance of the massive Target breach, the hackers here have taken aim at the point of sales or POS systems in Target retail stores. Recently, we have seen the attackers have been increasingly focused on small businesses and retail merchants. When searching for vulnerable targets, attackers are discovering that many retail merchants and point of sale terminals have not implemented some of the basic security measures required by the PCI DSS, called the Payment Card Industry Data Security Standard. As a result, attackers increasingly are seeking to compromise the retail merchants environments through targeted production line type attacks. Unfortunately, these attacks go undetected for long periods of time due to a lack of monitoring by the retail merchants. This seems rather obvious from the information revealed already about this Target breach.

Payment card data loss is very costly. If the attacker was able to access payment card data, the merchant may be held financially responsible for any resulting fraud loss and for other costs. That makes it imperative for Target in this case to have a forensic examination performed by a PCI forensic investigator, which by itself can be very expensive.

The question is: How could Target have protected its systems from these point of sale attacks? In most cases, the point of sale terminals are compromised through improperly configured remote access technologies used in their POS applications. Examples of remote access technologies include PCAnywhere, VNC, GoToMyPC.com etc. All remote access should utilize two factor authentication, in accordance with PCI DSS requirements. Two factor authentication is commonly established by using two of the following identifiers: password, secure token or fingerprint. Besides ensuring compliance with the PCI DSS, the security focus should also be on its hardware POS terminal and or POS payment applications.

Oftentimes merchants use a hardware POS terminal in conjunction with a personal computer-based payment application to process payment transactions, manage consumer accounts, maintain inventory, etc. The PCI SSCs payment application data security standard or PA-DSS requires payment application vendors to build their solutions securely to mitigate the risk of compromise for merchants using commercially available payment applications. In this case, Target would have been required to utilize a PA-DSS validated payment application.