The fallout of the Target Corp. data breach incident just keeps spreading.
According to the Globe and Mail, the U.S.-based discount chain is for the first time warning Canadians that the huge data breach it suffered in December may have been stolen. The company has said no data was lost from Target stores in this country, but shoppers who bought items in U.S. stores might have had their names, addresses, email addresses and phone numbers swept up.
Two security firms say the 11GB of data of some 700,000 customers taken from Target’s point of sale terminals was transmitted to Russia.
Dubbed a memory or RAM scraper, the malware apparently went after unencrypted data held in the terminal’s memory, scraped it up and sent it outside the firewall.
The data may have been encrypted at all other times – data in transit or at rest — but at the moment it goes into memory – essentially data in use — it isn’t.
According to Jeff Debrosse, director of security at Websense, the creators didn’t do anything new –POS RAM-scrapers data back to 2011. He said in an interview the malware looks for non-Windows processes with certain strings. In this case, credit card data read by POS terminals have a start and end of file indicator.
“We want standardization so retailers and banks and financial institutions can work with each other,” he said. “The challenge is things are so standardized that if you can get your hands on unencrypted cardholder information you surely have the (file) indicators — beginnings of the card holders information to the termination point that tells you the information stream is closed.”
It’s a better strategy than trying to search a retailers’ system for the encryption certificate keys to decrypt data held at rest, he said.
Debrosse shied away from saying Target could be faulted. “We all as an industry use our computers the way they are architected — data and processes run in memory.”
On the other hand, he said organizations and POS vendors could install “whitelisting” software keeps a list of approved process and applications. Non-standard processes running in memory then be terminated or sandboxed.
In addition, a proper data loss prevention strategy should be watching outgoing traffic from an enterprise to ensure personal data is only going to approved destinations.
Meanwhile Gartner analyst Avivah Litan takes aim at the Payment Card Industry (PCI) standard and says it has to bear some blame.
“Clearly, PCI compliance is not working very well – despite billions of dollars spent by merchants and card processors in efforts to achieve it,” she said in a blog. “It’s flat out wrong to blame this all on Target or on any other breached entity. The card issuing banks and the card networks (Visa. MasterCard, Amex, Discover) share responsibility for not doing more to prevent the debacles that have predictably occurred over the past nine years, when the big breaches first began.
“At the least, they should have upgraded the payment systems infrastructure to support end (retailer) to end (issuer) encryption for card data much like PINs are managed today. They should have also started migrating to stronger cardholder authentication (ala EMV Chip cards) so that the magnetic stripe on the back of our cards can finally be eliminated.”
As more detail on the Target and Neimen Marcus breaches comes out there will be more blame spread.