Target traces security breach to stolen vendor credentials

Target traces security breach to stolen vendor credentials

Summary: The hackers who stole millions of credit card numbers from Target have been tracked back to electronic credentials stolen from a vendor.

SHARE:
TOPICS: Security
22
Screen Shot 2014-01-30 at 09.50.54

Target's investigation of the massive security breach which allowed hackers to take millions of credit and debit card numbers has revealed a stolen vendor's credentials as a source of access.

Speaking to the Wall Street Journal, spokeswoman Molly Snyder confirmed that "ongoing forensic investigation has indicated that the intruder stole a vendor's credentials which were used to access our system."

While Target has not revealed how the credentials were stolen or which particular outlet was at fault, the firm did say the particular portal now has limited access to its computer systems while the investigation continues. Target's systems are accessible from a number of outlets and many different platforms could be at fault. For example, two systems -- a human resources website and supplier database -- had access restricted shortly after the attack was discovered, but Target said the hackers used a system which was not related to payment areas.

It is not yet known how the hackers moved from an unrelated platform to Target's point-of-sale devices.

Meet the 'Spy Smurfs': Here's how the NSA, GCHQ target iPhones, Android devices

Meet the 'Spy Smurfs': Here's how the NSA, GCHQ target iPhones, Android devices

Meet the 'Spy Smurfs': Here's how the NSA, GCHQ target iPhones, Android devices

According to the latest Snowden leaks, Britain's GCHQ can remotely control iPhones and Android devices using "targeted" tools. Meanwhile, the NSA can tap "leaky" apps to determine a person's age and location, and in some cases even their sexual orientation and political views.

Large firms usually have access to far more security-related resources than small vendors and firms that piggy-back on their systems -- whether as part of a supply chain or as a provider of third-party software. As a result, cybercriminals are known to break in to smaller systems with less protection in order to access larger, more lucrative networks. In this case, Target's networks were infiltrated through a third party, allowing the hackers to move through Target's systems to steal valuable credit card information.

The cyberattack, taking place from November 2013, lifted roughly 40 million credit and debit card records from the US. retailer, as well as approximately 70 million records containing information such as addresses and mobile numbers. While Target is working with the U.S. Secret Service and FBI to track down the culprits, the stolen data has been floating around black markets for weeks, according to a report on Krebs on Security.

The stolen data can be purchased as "dumps," data that can be used to clone debit and credit cards to use them in stores. If PIN codes are included within the data dumps, then criminals can also use the clones to take cash from bank accounts using ATMs.

Target is not the only recent high-profile target of data thieves. Last week, U.S. retailer Neiman Marcus Group admitted its own security breach, which resulted in the credit card scraping of 1.1 million customers. Malware on the company's systems was discovered on Jan. 1, and it is believed was able to collect payment card data from July 16 to Oct. 30 last year.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

22 comments
Log in or register to join the discussion
  • Replaced my card

    I replaced a card that I had used on a Target purchase during the breach period a few weeks ago. You have to have the card reported as "stolen" and then they will issue you a new number. What I find puzzling is that, given what we know about this breach, banks aren't automatically issuing new cards to customers whose card info was likely stolen. I guess they figure the cost of dealing with the fallout is less than the cost of issuing millions of new cards. They've probably got procedures in place to deny charges made in Eastern Europe on a card issued in Hoboken, & such. Still, that's pretty crazy. The banks need to step up security measures on these cards. They need real, two factor authentication with one time use key generators built into the card itself. I'm sure it would be reasonably inexpensive to add this to a card, especially when you consider the economies of scale involved.
    dsf3g
    • Replaced my card, Part 2

      Chase card holders had their cards automatically replaced.
      Gfinch@...
    • Must be the bank

      My mom used her debit card at Target and called her bank and they replaced it right then, no problem at all. I don't remember the name of her bank but it must be an issue with some banks.
      BrianC6234
      • Most banks make you wait card-less.

        They cancel your OLD card immediately, but you have to wait until they MAIL you the new card, AND a separate mailer with the PIN in some cases (that makes the mailbox thieves have to make another trip), BEFORE you have any access at all to your money at an ATM.
        jallan32
  • Proper network and device segmentation were not implemented

    If Target had implemented proper network segmentation the hackers would not have had access to card processing systems from unrelated web servers.

    its important to know what is appropriate for a device or server to communicate with on your network and deny any communications from unauthorized IPs.

    This isn't hard to implement folks although I guarantee the first time you ask the developers they wont be able to accurately tell you what should and should not be allowed. monitor, confirm, and validate then lock it down.

    POS systems do not need to be accessed by every PC and server on your network. They should only be able to communicate with a few servers for device management etc.
    greywolf7
  • That's what using Windows gets you.

    Easy to write malware for and very easy to get it in there with all the constant patching and such.

    Every store should be required to not run Windows on their POS terminals and run a truly hardened OS, like Linux or a custom OS.
    itguy10
    • Didn't you hear? Those stolen vendor credentials

      where lifted from a Linux based server.
      William.Farrel
      • Willy, come up something better

        You do have some valid links to your claim correct?

        "Target hackers may have exploited backdoor in widely used server software"
        http://arstechnica.com/security/2014/01/target-hackers-may-have-exploited-backdoor-in-widely-used-server-software/

        "New Clues in the Target Breach"
        http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/
        RickLively
        • Come now, RickLively. Do you honestly expect

          that when responding to an obvious troll like itguy10, that I should waste any time doing anything beyond just embarrassing him.

          Yet again.

          :)
          William.Farrel
          • Yea,

            you embarrassed itguy10.

            Who is actually laughing, yet again..
            RickLively
          • Hoprfully they'll get the idea

            that this s a tech site, not a site for those with their own selfish agenda's that will post anything, no matter how obvious a troll. Hopefully, those people that are more then happy to dish it out, but cry foul when they have to take it, leave.

            But I've been told that won't likely happen, so.........
            William.Farrel
    • Linux (on the desktop) is a joke

      Every update breaks the functionality of your computer (video/sound) and the software available on that platform is a bad joke. The video drivers available on Linux don't even make use of all the features of a video card.

      Have fun changing your distros every 6 months ... 600 distros and they all suck. No wonder Linux has a microscopic market share on the desktop.

      You Linux trolls are just too funny ... learn IT and come back with better arguments.
      perrrob
      • Need a hug....

        or just looking for a response..

        Virtual hug......for grumpy.....

        :)
        RickLively
  • Why are PINs stored

    Why should Target, or anyone else be storing PINs? Couldn't they be encrypted at the POS device and never stored by the retailer? In that case, at best/worst the encrypted PIN could be captured. Why don't banks insist on this?
    Original Mike
    • PINs

      The only way the PINs are getting stored is if the data is stolen right away before anything can be done with it. Target isn't storing that information. It's supposedly captured when the card is swiped by the customer. At least I hope Target isn't storing it. They shouldn't even look at that information.
      BrianC6234
  • "Stolen vendor's credentials"?

    Really? Which vendor was stolen? Shouldn't the statement read ..."vendor's stolen credentials..."? No wonder we can't trust anything from these "journalists" - they don't even understand the English language enough to write a proper sentence.

    I was helping one of my children with homework today & came across this question: "What season did the story take place?". The question should read "IN what season does this story take place?". Seeing this type of thing on a school paper really makes me wonder about the quality of education we have these days - & our school district is rated very highly.

    I know, it sounds nit-picky, but if we can't get simple sentence structure correct in order to make the meaning clear, both in school & on a widely-read journalistic website, we have issues, my friends.
    rmazzeo
    • Unless they changed it, it reads "Stolen vendor credentials"

      not "vendor's", with "vendor credentials" as the noun, and "stolen" the past tense of the verb "steal", which is acceptable, If I remember correctly.
      William.Farrel
  • as I had said before

    what reason a POS needs to have any access to any unprotected network
    and even to any network not specifically layedout to POS communicasion?
    any POS system MUST be a closed system, isolated from anything
    vl1969
  • We must get congress to act.

    It makes me mad that we still have magnetic strips and signatures when the rest of the world has a chip and pin system. This is what happens when lobbyist tell congress what to do.

    Anouther big problem is using social security numbers as ID when applying for credit. We should be able to set up a password that can be changed and protected instead of using an easily stolen SSN that is on every government document. That system is beyond insane and I don't see why a password system could not be used insead of a SSN.
    KLS 12.5
  • Huh?

    First off, why is Target even storing credit card numbers? I know it used to be that stores needed to verify transactions in a batch, but with modern systems there is no such need. A purchase should be authorized and verified at the exact same time. Thus there would be no need to keep a copy of the credit card numbers. The company that they used to process the credit cards may need to have it, but Target shouldn't have it.

    Secondly, even if there is a legitimate need for Target to retain this information, there is no reason that human resources, outside vendors, etc. would EVER need access to this information, so they shouldn't have access to it.
    cmwade1977