How Target hackers hit the bullseye

Shopping at Target
A woman pays by credit card while checking out at a Target Store in Colma, Calif., Thursday, Nov. 28, 2013. Instead of waiting for Black Friday, which is typically the year's biggest shopping day, more than a dozen major retailers are opening on Thanksgiving day this year.
AP Photo/Jeff Chiu

When it comes to stealing personal data from a retailer's customers, security experts say thieves are relentless in searching for the digital equivalent of unlocked doors or windows.

Often, they operate from a safe distance, in countries such as Ukraine, where they feel beyond the reach of U.S. law.

"The cyber thieves are constantly looking for the next big vulnerability where people aren't watching," said Barbara Endicott-Popovsky, director of the Center for Information Assurance and Cybersecurity at the University of Washington.

"They're Looking for the easiest place to attack," she said. "But they're also looking for the biggest bang for the buck. That's why these point-of-sale systems are so good."

Point-of-sale systems are the digital equivalent of a cash register. They record transactions and take credit card information, and in the case of Target, surrender a train-load of customer information.

That's how bandits were able to grab 40 million payment card numbers from Target customers from late November to mid-December. They also took names, phone numbers, e-mail and street addresses for 70 million customers.

Target is trying to make amends with shoppers. Today, the retailer formally extended to customers its offer of one year's free credit monitoring. It's part of the retailer's effort to make amends for a massive data breach in which payment card and personal information of Target shoppers was stolen.

Meanwhile, U.S. Rep. Maxine Waters of California and other House members are calling for a hearing on the data breach. Waters said today that at least four other retailers' IT systems have been hacked.

Shoplifters rip off retailers for billions of dollars every year. But they don't steal from a merchant's honest customers, not directly at least. Cybercrooks do, messing with customers' finances and lives — and those assaults are most painful for retailers.

"I think you'd be hard-pressed to find someone who would argue that the theft of merchandise poses a greater risk to retailers than the theft of customers' payment information," said Lisa LaBruno an executive with the Retail Industry Leaders Association, an industry trade group for large retailers.

Target is working with the United States Secret Service, Department of Justice and forensics experts to investigate how malicious software got into the retailer's point-of-sale system in nearly 1,800 U.S. stores. Target officials have said the company closed the "access point" that the criminals used. But the company isn't sharing details.

How could thieves penetrate Target's check-out system to install malware?

Justin Cappos, a computer science professor at the Polytechnic Institute of New York University, suspects the delivery can be traced to the point-of-sale computer code, known as a software image.

"Either the hacker got in and infected the main software image that was pushed down to all the point-of-sale systems or there was a common problem with the images that let a hacker compromise all of those the point-of-sale systems," he said.

Some experts prefer the theory that hackers found a common vulnerability in the software after it was installed.

Retailers are very cautious about updating point-of-sale code and it's hard to intercept updates and mess with them, said Jonathan Katz, director of the University of Maryland Cybersecurity Center.

Katz said it's possible a malevolent hacker was able to plant some malicious code on a sales terminal by posing as a Target technician. Another possibility is that the thieves used virus-laden e-mails or thumb drives to plant malicious software on the computers of point-of-sale system administrators.

"If the machines are connected to each other on some internal network then the malware can spread the way a typical worm or virus spreads," Katz said.

How might the malware send the private information to the thieves?

In one case involving TJ Maxx, thieves exploited the retailer's insecure Wi-Fi network to capture consumer data. But criminals should not have been able to use Target's free Wi-Fi connections to send out stolen information, Katz said.

"Hopefully, that network is not connected to the same network as these point-of-sale terminals," he said. "At least, one would hope that's the case. But if it were, that leaves the door open for an attacker."

But the crooks could have exploited human frailty rather than IT flaws, said Endicott-Popovsky of the University of Washington.

"It could have been an insider that compromised the system," she said. "It might not have had anything at all to do with how well or poorly protected the Target systems were."

However the crooks have managed to get into Target's check-out terminals, experts say they likely used a so-call RAM scraper to grab data that is only briefly in the machines' memory.

Endicott-Popovsky said RAM scrapers capture data when it's most vulnerable, right after the card is swiped.

At that point, she said, the credit card information is in the point-of-sale system's memory or RAM, as plain, unencrypted text.

"You can grab that information and you don't have to crack the encryption code," she said.

In that brief moment, before the retailer's system encrypts the data, valid credit card numbers and other customer information are free for the taking.

Your support matters.

You make MPR News possible. Individual donations are behind the clarity in coverage from our reporters across the state, stories that connect us, and conversations that provide perspectives. Help ensure MPR remains a resource that brings Minnesotans together.