Did the Target hackers steal credit card data directly from cash registers? Computer experts struggle to solve mystery of second largest digital heist in U.S. history
- Experts suspect hackers wrote code that gave them access to Target's point of sales system and all its cash registers
- Almost all of Target's 1,797 stores in the US were targeted as 40,000 credit card swipe machines were hacked
- Second largest theft of credit card details in American history
- Data mining software installed on swipe machines sent card details to hackers
- Secret Service investigating
- Thieves tried to use credit card of one victim at a California casino
By Alexandra Klausner and Reuters
PUBLISHED: 19:50 EST, 19 December 2013 | UPDATED: 21:09 EST, 19 December 2013
As Target grapples with the aftermath of a colossal data breach possibly affecting 40million credit and debit cards, experts say the scheme was extremely sophisticated and might have involved an attack on the chain's cash registers.
The data theft, unprecedented in its scale, took place over a 19-day period that began the day before Thanksgiving. Target said that it identified and resolved the issue on December 15.
It is thought hackers obtained the data by remotely installing software on 40,000 credit card machines in nearly all of Target's 1,797 stores nationwide.
Scroll down for video
Soft target: Experts believe the hackers attacked Target's point-of-sale system, pulling customers' data directly from cash registers
HOW DID HACKERS STEAL THE CREDIT CARD DETAILS?
Hackers are thought to have stolen the credit card details by breaking in to Target's computer systems and installing data mining software on credit card machines.
The software installed on 40,000 machines across Target's 1,797 stores read the information on a card's magnetic strip -including account number, sort code and CCV code - when it was swiped through the machine.
All the card details were then sent back to the hackers through the internet, before the theft was discovered after nearly three weeks.
Experts disagree about how the breach might have happened.
Avivah Litan, a security analyst with Gartner Research, said given all the security, she believes the breach may have been an inside job.
But thefts of this size are too big to be the work of company employees, said Ken Stasiak, founder and CEO of Secure State, a Cleveland-based information security firm that investigates data breaches like this one.
Stasiak said that such breaches are generally perpetrated by organized crime or an overseas, state-sponsored hacker group.
Stasiak’s theory is that the hackers were able to breach Target’s main information hub and then wrote a code that gave them access to the company’s point of sale system and all of its cash registers.
That access allowed the hackers to capture the data from shoppers’ cards as they were swiped.
James Lyne, global head of security research for the computer security firm Sophos, believes that something went awry with Target’s security measures.
‘Forty million cards stolen really shows a substantial security failure,’ he said. ‘This shouldn’t have happened.’
software could have spread through the Target network after being
installed on a company machine, possibly by fooling an employee into
clicking on a fake link in a 'phishing' scam.
The breach did not affect online purchases, Target officials said.
Data mining software: Hackers are thought have stolen the credit card details of up to 40 million Target customers by installing software on credit card machines
Stasiak said that given the sophistication of this attack, there’s only about a 5 per cent chance that the perpetrators will eventually be caught and prosecuted.
He noted that in cases like this, it’s hard to determine where the attack originated and given the large mass of information involved it’s not going to be found housed on someone’s home computer.
James Wester, research director of IDC Financial Insights, told NBC News that usually hackers target well-protected databases storing credit card data.
In the case of Target, however, the masterminds of the brazen heist likely attacked the store's point of sale system, pulling customers' credit card information directly from mounted cash registers using malware.
'That is what is kind of mystifying at this point,' Wester said. 'It seems like from a security standpoint, Target was doing all of the right things, and somehow this code was put on the POS system, which isn't a normal access point for hackers.'
Christopher Browning, 23 of Chesterfield, Va., said was the victim of credit card fraud earlier this week and he believes it was tied to a purchase he made at Target with his Visa card on Black Friday. However, he called Visa Thursday and the card issuer couldn't confirm. He says he hasn't been able to get through Target's call center.
On Monday, Browning received a call from his bank's anti-fraud unit saying that there were two attempts to use his credit card in California - one at a casino in Tracey, Calif. for $8,000 and the other at a casino in Pacheco, for $3,000. Both occurred on Sunday and both were denied. He canceled his credit card and plans to use cash. Although Browning has no proof, he says he believes the fraud was tied to his Black Friday purchase at Target.
Alternative theory: A small group of security experts suspect that the scheme may have been an inside job
"I won't shop at Target again until the people behind this theft are caught or the reasons for the breach are identified and fixed," said Browning.
Though smaller than the breach disclosed in March 2007 by TJX Companies Inc, parent of apparel chains TJ Maxx and Marshalls, the data theft took place over a much shorter period and hit shoppers at the beginning of the U.S. holiday season.
Target said the breach might have compromised accounts between November 27 and December 15, a period of nearly three weeks.
The data theft revealed by TJX took place over 18 months, affecting 45.7 million payment cards, according to the company. Banks later said in court documents that the hackers could have obtained more than 94 million account numbers in the TJX case.
On Thursday, Target told customers in an alert on its website that the criminals had stolen customer names, payment card numbers, expiration dates and their CVV security codes.
The company's shares fell in today as the Secret Service launched an investigation and the first victims of the theft began to emerge.
This data would allow them to produce counterfeit credit cards, and if they were also able to intercept PIN numbers they would be able to create debit cards to withdraw money from ATMs.
"On December 15, we were able to identify an unauthorized access and we were able at that time to resolve the issue," Target spokeswoman Molly Snyder said by telephone.
Almost all stores: Nearly all of Target's 1,797 stores were targeted as hackers infiltrated 40,000 credit card machines
Krebs on Security, a closely watched security industry blog that broke the news on Wednesday, said the breach involved nearly all of Target's 1,797 stores in the United States and investigators believed the data was obtained via software installed on point-of-sales terminals used to swipe magnetic strips on payment cards.
It is not yet clear how the attackers were able to compromise point-of-sales terminals at so many Target stores. "It is very clear it is a sophisticated crime," Snyder said.
WHAT SHOULD YOU DO IF YOU USED YOUR CARD AT TARGET?
If you think yours was one of the 40 million credit or debit cards involved in a data breach at Target, security experts recommend a policy of watching and waiting: Watch the account you used at the retailer on a daily basis, and wait, because there's no telling when it will be tapped by thieves.
With the information that was obtained in the data breach between Nov. 27 and Dec. 15 - cardholder names, card numbers and the three-digit security codes - crooks can use them for online transactions or manufacture duplicate cards.
"This could be something that hits your card months from now, so you need to continue to be vigilant," says Yaron Samid, chief executive officer of BillGuard, a company that offers a free service monitoring credit and debit cards for unusual activity.
Don't look for crazy, big-ticket charges, Samid says.
Sophisticated hackers are more likely to make small purchases, sometimes aimed at checking the viability of an account.
"These folks are not going to put a $10,000 charge on one card," Samid says. "They're going to put a $1 charge on 10,000 cards."
Small charges are less likely to be noticed and disputed, he says, and a single charge - even if it's for just 99 cents - enables the crooks to resell the stolen information at a premium, according to Samid.
A validated stolen card number is worth more than an untested one, he says.
If you used a credit card at Target, you have more protection than if you used a debit card. That's because consumers are protected from the fraudulent use of a credit card. You still have to report the fraud to your card issuer.
A fraudulent charge is typically credited back to the consumer's account after a fraud report is made. The card issuer then investigates the complaint and, unless the charge is found to be valid, the credit will be made permanent.
With a debit card transaction, money immediately comes from the consumer's bank account. After filing a fraud report with the bank, it is then in the bank's hands when - or if - to return that money.
Either way, if a fraudulent charge is spotted, consumers should get a new card.
But experts say it's better to err on the side of caution, and - at least for debit card holders - get a new card now.
"I do see this as a very severe breach. Take it very seriously," says Mark McCurley, senior information security adviser for Scottsdale, Arizona-based IDT911 Consulting, a company that does data breach prevention and post-breach analysis.
McCurley says he used his debit card at a Target store during the period the numbers were stolen. He requested a new debit card and PIN number.
"That's how seriously I'm taking the matter," he says.
At a minimum, change your PIN number, experts advise. If the thieves have captured your PIN, you can prevent them from getting a cash-back during a transaction or using your card at an ATM machine, McCurley says.
Molly Snyder, a spokeswoman for Target, says there is no indication at this point that PINs were collected by the thieves.
The U.S. Secret Service is working on the investigation, according to an agency spokeswoman. A Federal Bureau of Investigation spokeswoman declined to comment.
"While this search for the truth is happening, the issue damages the trust Target have gained in mobile and calls into question how sales (will) trend in January," said Brian Sozzi, chief executive officer of Belus Capital Advisors.
Falling shares: Target's stocks began falling today as the markets absorbed the news of the massive theft
MasterCard and Visa officials had declined to comment late on Wednesday, after news of the breach surfaced. An American Express spokeswoman said the company was aware of the incident and was putting fraud controls in place.
The theft is particularly troublesome for Target because it has has used its red branded credit and debit cards as a marketing tool to lure shoppers with a 5 percent discount. As many as 25 per cent of Target shoppers use the store branded cards.
This holiday season, Target added other incentives to use its cards. Two days before Thanksgiving, Target.com ran a special review sale with 25 exclusive offers, from electronics to housewares for those who used the branded card.
Households who activate a Target-branded card have increased their spending at the store by about 50 percent on average, the store says.
'This is how Target is getting more customers in the stores," said Brian Sozzi, CEO and Chief Equities Strategist. "It's telling people to use the card. It's been a big win. If they lose that trust, that person goes to Wal-Mart.'
Target said it had alerted authorities and financial institutions immediately after it was made aware of the unauthorized access and that it was "putting all appropriate resources behind these efforts."
The company said it hired a forensics firm to investigate the incident.
Target's shares were down 1.7 percent an hour before the market was due to open.
The shares, which have risen 7.4 percent this year, closed at $63.55 on the New York Stock Exchange on Wednesday. The stock has largely underperformed the broader S&P 500 index, which has risen 27 percent this year.
usually sell account information on the black market to those who want
to produce fake cards. Crime rings use the cards to buy gift
certificates from large stores that they later turn into cash, according
Target Corp. advised customers to check their statements carefully. Those who see suspicious charges on the cards should report it to their credit card companies and call Target at 866-852-8680.
MOST WATCHED NEWS VIDEOS
MOST READ NEWS
- Topless calendar pictures of Lebanese Olympic skier spark calls for ministerial inquiry in Beirut after they are leaked online
- Our brain has a bad-decision detector: Scientists discover region that prevents humans making the same mistake twice
- Rise of the me first mothers: Changing nappies in restaurants. Brazenly promoting their little darlings. CATHERINE OSTLER identifies an infuriating new breed of parent
- 15-year-old girl leaps to death off UWS building
- Sony World Photography Awards capture everyday struggles across the world
- Couple accused of having sex on airplane facing more charges
- Woman who died in Big Sur Bixby Bridge crash ID'd
- Couple arrested for having sex on plane
- Salinas housewife accused of sex crimes against Palma High student
- Timeshia Brown places ad in Texas newspaper after husband's affair
- Two dogs and their one big pal, Douglas the little hippo: Trio form unlikely friendship at wildlife rescue park after baby was abandoned at just two weeks
- Children as young as six have been acting out drug and rape scenes from Grand Theft Auto in the PLAYGROUND, says headteacher
- Fired PR firm employee claims he was sexually harassed by female co-workers who groped him and sent him sexts like 'when are we going to have out bang sesh?'
- Bill Clinton poses with PROSTITUTES at a charity event
- Georgia mother, 21, accused of murdering her three-year-old daughter
- UC Santa Cruz Dean of Students arrested on DUI charge
- Down and out! US figure skaters Polina Edmunds and Gracie Gold BOTH fall in final routines as Ashley Wagner fails to inspire
- Detectives investigate after woman killed in Cabazon
- Big Island artist goes head-to-head against CafePress
- Boss of Indian car giant Tata dies 'in fall from hotel balcony' on business trip to Bangkok
- EXCLUSIVE 'A portal to hell': Police chief and priest who examined 'possessed' children at 'haunted' Indiana home back official reports saying it's no hoax
- British woman looks through boyfriend’s phone, finds video of him having sex with her dog
- Family of convicted murderer executed using new drug cocktail claim his death was cruel and unusual punishment as they sue the drug's manufacturers
- David Mace: Child-sex suspect from Tampa arrested in West Palm Beach
|PHOTOS: Plastic Surgery Celebrity||Awkward family photos|
|UPDATED: Faces of Meth||PHOTOS: Celebrities all a-Twitter|
- Santa Cruz man crashes into Aptos stop sign, power pole, fire hydrant
- Newborn baby pronounced dead at birth miraculously starts breathing 28 minutes later
- Dogs DO love their owners: Scans reveal dogs respond positively to scent of owners
- Evil-looking implements used by Auschwitz guards to tattoo prisoners
- Is this why some people can't stop smoking?
- Paul Weeks gave wedding ring to wife before boarding missing flight MH370
- Kauai Bus expands service
- Haiku woman, 52, injured by SUV
- Feinstein accuses CIA of spying on Senate computers
- Apparent murder-suicide investigation underway in Crawford County