Target corporation is the victim of the biggest credit card security breach to date, affecting up to 110M cards. That’s an amazing statistic by itself, but the problem is even worse – it remains unclear exactly what happened or if other companies are themselves targets of the same thieves.
But that is only to be expected in a system that is only as secure as the weakest link – and the potential gain by hacking it is nearly unlimited money. There is little doubt that even before we learn exactly what happened at Target it will happen again, on scales both large and small.
Let’s start with what we know so far:
Online credit card fraud is a very big business, and that is almost certainly the main destination of the stolen information. In 2013 it was estimated to be at $3.5B total. To put that into perspective, that’s a bit more than retail giant Target’s net profit in the same year. It accounts for nearly 1% of all online sales, a huge number when you consider that Target’s net profit margin is a shade over 4%.
It is fueled by stolen card numbers which can be entered onto a screen without producing the physical piece of plastic by just about anyone, anywhere. It represents the most important weakness in the entire system of credit card security because with only a set of numbers a thief can buy anything they want and fence it later.
Target announced that stored credit card information of up to 40M was breached on 19 December, a day after it was reported publicly and apparently more than three weeks after the breach started. It wasn’t until 10 January that they announced that 70M people had additional personal information captured in the security breach, some of them probably included in the first group. Their CEO, Gregg Steinhafel, took to MSNBC to try to calm things on 12 January, but ultimately had to admit that the company still doesn’t “know the full extent of what transpired.”
The best we can say so far is summarized by Brian Krebs, the man who first broke the story. The focus is on malware at the Point-of-Sale (POS) systems that every store uses to process cards. This is a must-read article on the theft. The current theory is that this system was infiltrated off the web by Russian or Ukrainian gangsters. And this is the end of what is known about the story so far.
There are several problems with the prevalent theory, however. Such a breach from the web would have to mean that numerous ordinary firewalls and other security systems were not in place and some of the information, such as addresses, are not stored in the POS system. Signs still point to an inside job performed by an employee or a consultant. Yet up until now no one has even suggested that this is the focus of the investigation – more than 6 weeks after the crime was first committed.
As of today we do not have a complete list of the boosted information or any reasonable theory as to how it was stolen. That seems to be a bigger problem than the credit card numbers themselves.
Stepping back from the problems discovered by Target, we can only reasonably expect that something like this is going on constantly, every day. Without knowing what happened it’s impossible for any retailer to know how to protect themselves, or for consumers to know how to prevent their cards from being stolen. The entire system has to be considered unsafe and compromised until proven otherwise.
Nor will it be easy to fix whatever problem is uncovered, even if it turns out to be an inside job. Breaches like this occur every day and the tools to perform more and more intricate data stealing schemes are circulated in the dark corners of the ‘net. The rise of online retail only provides more opportunities to buy goods to fence with the stolen information, making it easier and more lucrative.
Whatever happened to Target has to be seen as something much bigger than even the eye-popping numbers tell us immediately. This had to happen on this scale eventually to someone, somewhere, no matter what it turns out went down. The system has been broken for a long time and the potential reward for abusing it is far too large to stop theft easily.
And we still don’t even know what happened. For that reason alone, the entire network of credit cards has to be considered insecure.