A few security lessons from the Target breach

By Susan Bradley on January 23, 2014 

The Target breach points out some facts of life on the Web: We’re all targets (pun intended) of cyber thieves.

Fortunately, there are steps we can take to protect ourselves. Here’s how to protect yourself from the next big breach.

I am a target. I shop online, I shop in large department stores, and I regularly use credit and debit cards. Shopping at large stores that process thousands of sales daily makes me even more of a target, because my transaction information (name, account number, etc.) gets combined with that of all other shoppers. And I became a potential victim when I shopped at Target this past Christmas shopping season.

These days, every time I swipe my credit card on a point-of-sale system, I think to myself: “Is this vendor doing all they can to keep me safe?” Retail companies believe they are; claiming that by following the Payment Card Industry (PCI) standards, they’re doing all they can to keep customer credit-card information safe. But I’m not convinced — especially in the U.S. European credit cards are considered more difficult to hack because they use an onboard security chip rather than the magnetic stripe common on U.S. cards.

Malware designed to attack point-of-sale systems

Many ATMs and point-of-sale (POS) systems use a version of Windows called Windows Embedded (more info). Built on Windows XP, Windows 7, or Windows 8, this specialized software is designed to have a small footprint and allow limited rights. Unlike other Windows versions, Windows Embedded has write filters that let only administrators write to the system’s RAM or C: drive.

I use Win7-based Windows Embedded on specific workstations in my office. It lets only authorized users sign in to a server. These workstations’ only function is to support the I/O functions of a keyboard, a mouse, two monitors, and a printer. The server — a much more powerful computing device than a typical desktop PC — handles all the real processing.

Windows 7 Embedded was released in July 2010. But Windows XP Professional for Embedded Systems dates back to Dec. 31, 2001 — and will be supported by Microsoft until the end of 2016, as noted on a Microsoft Product Lifecyclespage. (In contrast, support for desktop versions of Windows XP ends in less than three months.)

Moreover, Windows Embedded systems are not patched like regular workstations; when you update Windows Embedded, you’re installing an entire new build. Thus embedded systems get fewer updates. In most cases, they don’t need frequent patching — they’re locked down and set up to function like dumb terminals, merely passing data along to a back room or an online server. That makes Windows Embedded devices inherently more secure than the Windows machine on your desktop. Well, at least they should be more secure.

Based on reports on the Web, memory-scraping malware was used in the Target breach. As noted in an excellent Krebs on Security blog, the malware was designed to collect credit-card data briefly stored in the memory of POS machines. (The malware writers were perfectly aware that these systems don’t save data to a C: drive.) Cyber thieves then used the stolen data to clone valid credit cards.

The malicious code was also written to bypass common virus-detection software. As Krebs notes in his article, malware-testing site VirusTotal showed that the virus was missed by over 40 AV apps. In other words, not one of the AV apps tested flagged the virus. Anyone who’s run up-to-date antivirus software and still become infected won’t be surprised that POS malware specifically designed to thwart detection went undetected.

By PCI standards and recommendations, POS systems should not access the Internet using the same connections as standard desktop workstations. But it’s not uncommon for POS systems to share connections with a company-wide network. In that case, an attacker might wiggle into a corporate network undetected, set up an upload server, and have POS systems send credit-card data to the bogus server.

When fishing, go for the biggest catch

It’s no mystery why cyber thieves are targeting large retail businesses; they’re following the money — especially as more customers prefer using credit cards to cash or checks. (An interesting side note: according to a Wikipedia post, bank robber Willie Sutton didn’t actually make that infamous retort: “Because that’s where the money is.”)

Today, almost all in-store transactions using credit cards go through POS units. And as mentioned above, stealing credit-card data from a POS unit is easier in the U.S. than in most of Europe. Nearly all credit cards in the U.S. use a magnetic strip on the back for processing sales. The more-secure Chip-and-PIN technology (info) is used in Canada, the United Kingdom, Ireland, and other EU countries. The technology is used in EMV smart cards, which makes them much more difficult to clone. Moreover, those transactions don’t require sending data to a server for card/customer verification.

There’s a robust and growing underground marketplace for POS malware, including versions built into easily deployed attack systems. The Target breach plus attacks on Neiman Marcus and other U.S. retail companies (more info) clearly shows that assaults on POS systems will get worse before getting better. (A Target website page provides updates on the Christmas breach.)

Ways to help protect yourself from POS attacks

The obvious answer to credit-card data breaches is returning to cash and checks. But that’s not going to happen — cash and checks have their own problems. So given that we’ll stick with our cards, here are some small steps you can take to better protect yourself.

  • Use limited-use credit cards: When I went on a recent excursion to Europe, I purchased a prepaid credit card and loaded it with sufficient funds for the trip. This not only enforced my travel budget, it also limited my exposure should someone have stolen my credit-card information. The trip is now a pleasant memory, but I’ve kept the card and reload it from time to time; I use it when I’m uncomfortable handing over my regular cards.
  • Sign up for monitoring: Even if you weren’t affected by the Target breach, it’s a good idea to monitor your credit score and ensure that no one is using your personal information to sign up for loans and credit cards or to perpetrate other scams. The three major credit-reporting and credit-monitoring companies are EquifaxExperian, and TransUnion.
  • Review your bank accounts — often! Regularly check your credit-card activity and bank balances. You don’t have to be near your laptop or desktop PC; most banks and credit-card companies offer apps for mobile phones, tablets, and even Kindle devices.
  • Understand your exposure, and immediately report the loss of a card: Most credit cards limit your liability due to fraud. Typically, you’re not on the hook for any fraudulent transactions. But you might find it a bit more difficult to use your credit card for some time after the theft. In the U.S., an FTC site details your exposure from lost or stolen debit/ATM cards. In short, if you notify the bank before unauthorized charges are made, you’re typically not liable. But you must contact a bank quickly.
  • Watch out for bogus emails after major events: Whenever there’s a natural disaster or some other headline-grabbing event, scammers take the opportunity to try some social engineering — tricking you into clicking malicious links. Often, it’s difficult to tell these bogus emails from valid vendor mail. Target should be ashamed of itself for sending out email-based breach notifications via a third party.

    Everyone I talked to, including some security-savvy people, thought the Target communication was bogus. Many others did too, as reported in a Business Insider story. When in doubt, go directly to the vendor’s website. Enter the vendor’s address into your browser — don’t click a link. When there’s a breach, companies are required to post information on their website in a conspicuous place.

  • Go to good sources for accurate information: The security communication specialist Christopher Budd once told me that early information about a security incident is often wrong. Follow the breaking news reported by publications you know you can trust. The Windows Secrets newsletter, for example, typically doesn’t break news on security breaches but waits until there is enough reliable information for an accurate story. I also followKrebsonSecurity and Threatpost — two excellent sources for thorough and accurate security news.
  • Communicate your concerns: Sadly, many vendors take action only when their fed-up customers get truly vocal. When you think a company is not sufficiently protecting your personal and financial information, I suggest taking to the social-network airwaves to express your dissatisfaction.

    Many companies such as Target use Facebook as their customer-outreach arm. Or find a company’s feedback page and express your concerns. Better businesses respond quickly when they’ve upset customers. Finally, keep in mind that you always have the final word. You can always move to another bank, credit-card service, or retail establishment.

At one time, we worried about our credit-card security when shopping online. But now it appears that brick-and-mortar shopping is a greater threat. Cyber theft — of any type — is damaging our trust in companies along with our pocketbooks. I urge you to take some targeted action now to protect yourself from the next breach. You know it’s coming. For more ways to protect yourself, see the Oct. 17, 2013, Top Story, “Protect yourself from the next big data breach.” Stay safe out there!

About skicat56

Snow Sports Industry veteran – Husband – Father – Network IT Ninja & Former Powncer. Old enough to know better but young enough to start a new career.
This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s