(Source: South Park Studios)
Access was reportedly given to help power savings, but network wasn't properly isolated from consumer data

It's said that for every $100 USD spent at retailers via credit card, 5 cents is lost via digital fraud.  The holiday hack of Target Corp. (TGT) reminded Americans that this problem was far from solved.  And with new details leaking out from the U.S. Secret Service investigation there's cause for concern that the Target data loss could be just the tip of the iceberg in the attack.

I. Wal-Mart, et al. Revealed to be At Risk

The latest twist in the saga surrounding the massive credit card data loss should make other retail/grocery chains, including Whole Foods Market, Inc. (WFM), Trader Joe's Comp., and the nation's #3 warehouse retail chain, BJ's Wholesale Club, more than a bit nervous.

According to sources of Washington Post security researcher Brian Krebs -- the first member of the media to catch wind of the breach -- the hackers had a little help from an insecure third-party.  They reportedly struck via first compromising servers at an air conditioning business in Sharpsburg, Penn, whom Target used as a contractor.  The firm -- Fazio Mechanical Service -- has a flashy portfolio of high-profile clients which includes not only Target and all of the aforementioned retailers/grocers, but a number of other large firms that Mr. Krebs and other early reports have not mentioned.

This latest news emerged after Reuters and The Wall Street Journal quoted Target executives last week as saying that the breach occurred via a compromised third-party contractor.  Digging around on Fazio's clients page, which remains active following Mr. Krebs' post, I found that the list of high-profile clients doesn't stop with the three other companies Mr. Krebs mentioned.

Fazio clients
Fazio's clients list includes many top chains that may have been exposed.

It turns out that Fazio's blue chip client list is even bigger, including large retail locations belonging to Wal-Mart Stores, Inc. (WMT) (and its subsidiary Sam's Club), Costco Wholesale Corp. (COST), and the ALDI Group; gas stations belonging to Marathon Oil Corp. (MRO) and Exxon Mobil (XOM); and restaurant locations belonging to Denny's Corp. (DENN) and others.

It is unclear why Mr. Krebs didn't notice these other even bigger clients, but clearly that discovery illustrates his comments are even more important than they sounded based on his shorter list.

These clients helped Fazio to earn the distinction of being the largest heating, ventilation, and air conditioning (HVAC) commercial sales and repair company in the western Pennsylvania area.  Fazio had service centers in Pennsylvania, as well as outposts in nearby states, including Maryland, Ohio, Virginia, and West Virginia.

It appears increasingly likely that Mr. Krebs' sources are correct -- there was a breach at Fazio that led to a breach at its client (Target).  Fazio President Ross Fazio confirmed that he received a recent visit from the Secret Service in connection to the ongoing Target investigation. 

II. Timeline of the Attack Emerges

Fazio has otherwise refused to answer press questions as to whether its networks were penetrated by the hacker ring last November and then used as a launchpad for the alarming penetration of the nation's third largest retail chain.  But Reuters offers some verification of the report, writing:

A law enforcement source told Reuters that evidence suggests the hackers stole login credentials from Fazio and may have used the credentials to break into Target's network. The source added, however, that investigators were not sure that this was what happened, and it was possible the hackers used other ways to breach Target's network.

According to these various reports, the hack of Fazio began on Nov. 15.  Evidence points to hackers using the compromised Fazio networks, possibly via monitoring employee logins, to gather credentials to breach partners like Target.

Believed to be based in Russia and or Eastern Europe, the unknown perpetrators of the hack used these credentials to access Target's store networks almost immediately, but they were smart enough to carefully test their newfound access.  They reportedly uploaded credit-card logging malware to the cash register computers at a small number of Target stores between Nov. 15 and Nov. 28, a test run of sorts.

A test-run preceded the full-blown attack on Target store registers. [Image Source: ABC News]

Satisifed with the results, on Nov. 27 or Nov. 28 they rolled out the malware to registers at a large number of Target locations during the height of holiday retail shopping.  For nearly a month the hackers continued to lurk unnoticed, silently stealing the unencrypted credit card numbers (CCN) and credit card authorization numbers that Target was storing at its retail locations.  Target finally detected the breach on Dec. 15 and notified federal authorities.

In total, the cyberthieves made off with at least 40 million Americans' credit and debit cards and 70 million Americans' personal data (addresses, home phone numbers, etc.).  The debit card losses are particularly problematic.  While fraudulent credit card transactions can be noticed instantly via online bank portals, reported, and cancelled, banks tend to be much more resistant to refunding debit transactions.  Furthermore, where as stolen credit cards leave an identifiable purchase trail, cold cash received from withdrawals from cards with stolen PIN numbers is much harder to trace.

III. Catch Me If You Can

Thus far the hackers have indeed proven hard to catch.

Hackers reportedly shuffled the data from the compromised Target networks through Fazio and out to a number of compromised servers in the U.S. and Brazil.  This was deviously clever for a number of reasons.  First, Target apparently sends a good deal of digital traffic to Fazio (more on that later) so it wouldn't be likely to notice anything unusual, versus if its store servers were phoning directly to the hackers.

Also, by shuffling the data to the so-called "drop sites" or "drop servers", the attackers were able to further cover their tracks.  The attackers reportedly had near-complete control of these systems, versus Fazio where the privileges gained were more limited.  As a result, they could fully cleanse the drop sites of direct records of where they were offloading the data to.

While sources have said this kind of tactic is a calling card of Russia and Eastern Europe's best black hat hackers, it sounds like federal authorities at this point have no real idea where the FTP traffic from the drop sites was going to.

Drop sites including a Miami, Florida-based small business, and a business in Brazil, according to Mr. Krebs.

IV. At-Risk Retailers Could Have Avoid Breach in Multiple Ways

At this point there is no evidence that the hackers were able to obtain login credentials of other big Fazio clients, such as Marathon or Wal-Mart.  Even if they got the logins, there are a couple of reasons why those efforts could have fallen short of the epic looting of Target.

First, Target was reportedly used to sending a lot of data to Fazio.  Mr. Krebs writes that this is not uncommon, as retailers, restaurant chains often send data from local sensors to their HVAC contractors to improve energy efficiency.  This unnamed "cybersecurity expert" who was not authorized to speak on behalf of the major retailer they worked at stated:

To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software.  This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.

While the source indicates this was a widespread practice, it seems likely that at least some of Fazio's corporate clients operated differently and didn't participate in such efficiency data.  For example, it wouldn't make much sense to micromonitor gas station AC and heating, given the much lower costs.

Second, Target made a critical error in that it reportedly offered no separation between its store cash registers and its computerized heating and cooling controls.  According to Mr. Krebs, once hackers obtained access to the heating and cooling controls they basically received administrator privileges on cash registers sufficient to install malware programs silently.

V. Target Appears to Have Breached Legally-Binding Industry Standard

One would hope that at least some of the other Fazio clients practiced a bit better security.

Most major retailers, including Target, have agreed to a code of conduct when dealing with credit cards and debit cards.  Dubbed the PCI Standard [PDF], that legally-binding contract requires merchant personnel to use a two-factor authentication process for any incoming traffic and requests from third-parties -- a blanket category that includes advertising partners, repairmen, contractors, and other partners.  Many businesses are believed to skimp on this requirement, given that it's expensive to commit to such monitoring.

PCI requirements
The breach seems to indicate that Target wasn't following many of the above legal-binding measures it agreed to. [Image Source: Brian Krebs/PCI Board]

The PCI Standard requires that all outgoing credit card information be encrypted.  Had the local database programs on Target's registers been made to comply with this standard, the hackers would have received the data in encrypted form, making it harder to crack/use.  Instead, they reportedly received unencrypted data, indicating again that Target's store software was not compliant.

And the PCI Standard also requires members to actively monitor network resources across all retail sites where credit card transactions are occurring.  The standard requires the points of sale to be outfitted with modern antivirus/antimalware software.  It seems unlikely that Target had such software and it seems likely that monitoring was far too short-staffed, given the fact that for nearly three weeks Target network staff failed to notice a massive outflow of suspicious packets from retail locations.

Avivah Litan, a fraud analyst at Gartner Inc. (IT). suggests the culpability may lie partially with the standards organization for failing to properly ensure its members were implementing the solutions they agreed to.

VI. Suits, Scrutiny Pile Up

Target executives were recently grilled in a Senate hearing over the breach. Chief Financial Officer John Mulligan seemed to overstate the sophistication of his company's monitoring efforts.  He testified:

Despite significant investment in multiple layers of detection that we had in our systems, we did not [detect the attacks sooner].

Mr. Mulligan added that his company was "very sorry" about attacks.  He testified that retailers and financial firms need to work together to adopt so-called "chip-and-pin" solution -- credit cards which use physical validation devices somewhat similar to RFID.  The chip-bearing cards typically have a miniature ASIC (application-specific integrated circuit) chip -- a purpose-built microprocessor -- onboard that offers a second point of validation for transactions.

Target CFO
Target CFO John Mulligan (left) is sworn in during a recent Senate hearing on the breach.
[Image Source: Reuters]

While these technologies make credit cards more expensive for banks to print, they also make it harder for hackers to print fake cards with the stolen data they obtain, perhaps making it prohibitively costly in some cases.

But the issue is who will pay for that technology.  Given its apparent negligence and breach of the PCI Standard, Target will likely be forced to pay around $420M USD in damages, according to Avivah Litan, a figure that has grown as the extent of the breach became clear.

As of mid-January, Target faced over 70 lawsuits, including class action lawsuits from consumers and banks.  Such suits are often consolidated in the federal court system, but given its apparent breach of contractual obligations, Target's beleagured legal team may have to consent to expensive settlements.

VII. Target CFO "Card-and-Pin" is the Answer

In addition to the $420M USD or more in potential damages, Target IT officials also indicated the cost to implement a chip-and-bin solution would be around $100M USD.  That puts the total costs at over half a billion dollars, more than a sixth of Target's net income ($2.99B USD) from last year.

And that's not to mention the cost of the apology promotions.  Target CEO Gregg Steinhafel announced in December that shoppers on Dec. 21 and 22 would receive a one-time discount equivalent to the discount that Target gives its own employees -- 10 percent off most items.

Target offered shoppers an apology discount in December.
[Image Source:]

Target would likely see the banks pay for that upgrade, particularly after they were so aggressive in targeting it with class action lawsuits.  But banks have been resistant to such changes, pointing that hacks like Target's could have been stopped in other ways had stores not skimped on security spending. 

They blame retailers for the breaches -- both in court and behind closed doors -- and say the retailers need to pay for the fix, whether that fix is physical security measures like card-and-pin readers or simply better site-based monitoring.

Credit Cards
Card-and-pin identification technology could help make credit card fraud prohibitively expensive.  The tactic has been used in Europe with modest success. [Image Source: France24]

Federal Trade Commission (FTC) Chairwoman Edith Ramirez alluded to this in comments during the Senate hearing stating:

It is of concern to me that our payment card systems really do need improvement.  Based on latest information available to us ... it's clear that companies need to do a lot more, that they continue to make basic mistakes.

In short don't expect this problem to get fixed anytime soon, given that no one can seem to agree who should pay for the fix.

VIII. ... But No One Want's to Pay For Card-and-Pin

It's not surprising to hear the leaks from Target and other sources regarding Fazio, given that Fazio will likely be targeted in court by partners to try to recoup costs.  But it remains to be seen how much can be recouped.  Court documents [PDF] from a 2012 case indicate Mr. Fazio had an annual income of $1M USD (as of 1998), and analyst site Find The Company estimates that Fazio Mechanical Service currently has revenues of about $12.5M USD per year. 

That's unlikely to cover the half-billion or more that Target will owe, but it wouldn't be surprising to see the embattled company try to spread the blame on the smaller firm.

Finally, it's important to not assume that the other Fazio clients -- Wal-Mart, Whole Foods, Trader Joe's, Marathon, Costco, Denny's and Sam's Club (among others) -- have also lost credit card data.  While hackers did appear to have the first access level necessary to penetrate these other retailers, there's no evidence that such hacks have occurred.  It's possible that the hackers simply solely attacked Target out of time constraints, or after examining other retailer security systems and deciding Target was the softest target.

Likewise it's equally important to realize that the breach Target has realized may just be the tip of the iceberg. 

History would suggest that large, sophisticated intrusions seldom affect only one firm, but often victimize several firms via a common security flaw. 

IX. History Repeats

Target itself was the victim of a massive hack back in 2005 that stole over 120 million credit cards.  While Target was among the first to notice that breach, other retailers such as Barnes & Noble Inc. (BKS), 7-Eleven, Inc., and J.C. Penney, Comp. (JCP) would later discover breaches from the same attack. 

Where there's common weakness, there are often multiple victims in the digital world.  In the 2005 hack and subsequent related breaches, hacker ringleader Albert Gonzalez made off with over 160 million credit cards, with damages for just three of the dozens of victims alone totalling $300M USD. 

Mr. Gonzalez -- who was famous for living large and burning a cool million dollars in cash in his backyard -- was busted by U.S. federal agents in 2008 and sentenced to 20 years in federal prison in 2010.  But that case still has yet to wrap up as a July 2013 indictment brought charges against five of his cohorts, including three suspects that remain at large.

While everyone -- including Target, surely -- is hoping for a speedy resolution, that may not be the case.  If the Target investigation follows a similar cat-and-mouse trajectory as was seen in the 2005 Target hack, it may be at least 2016 before investigators catch even one of the suspects, and 2020 or later before they begin to bring charges against and round up the remaining fugitives.  One potentially promising arrest has been made, but such leads often turn up dead ends, as they may simply be people who received stolen card info from anonymous online marketplaces set up by the main culprits.

While the public waits for justice, we may see more retail chains discover related breaches of customer data.

Wal-Mart and others have been eerily silent on the Target hack, rather than looking to leverage the embarassment to their advantage.  The question is whether that silence is motivated simply out of common sympathy, a desire not to push expensive new solutions (like card-and-pin), or fears of breaches of their own.

In coming weeks expect that many of the nation's top retailers will be under close scrutiny, even as U.S. Secret Service agents attempt the daunting task of trying to catch the sophisticated thieves.

Sources: Fazio [clients list], Brian Krebs, Reuters

"You can bet that Sony built a long-term business plan about being successful in Japan and that business plan is crumbling." -- Peter Moore, 24 hours before his Microsoft resignation

Latest Blog Posts
Xiaomi Mi 6 Smartphone.
Nenfort Golit - Aug 8, 2017, 6:00 AM

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki