Life after Target and other titbits

Last few days of 2013 were a nightmare for the retail giant Target. Here are a few updates on the same:-

(a) Target plans to lead the US retailers to embrace the European "Chip-and-PIN" credit card payment processing. This will be costly and will take time.
(b) A RAM scraper, memory-parsing malware grabbed TargetÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣s plain text data [being called the blackPOS]. VISA Inc. had alerted retailers in April and August 2013 about presence of such malware in the wild.
(c) Target acknowledged its attack after a security blogger reported the breach.
(d) Target also has $100Mn as insurance cover. NEWS Article available here

VerizonÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣s 2013 Data Breach investigation Report available here has summarized 2013 breaches as:-

├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬║ 24% of breaches are in retail
├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬║ 37% of breaches affect financial organizations.
├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬║ 38% of breaches impact larger organizations.
├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬║ most breaches are detected weeks/months later and
├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬║ 52% of breaches are detected by unrelated parties.

The report also highlights Cyber crimes, digital risk management and privacy protection as significant capital expenses in 2014 for the Retail industry AND the Financial Service industry. It also indicates that the RAM scrapers and network/system utilities (Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼ÔòØ├ö├Â┬ú├ö├▓├ªAdminwareÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├Â├ë) as a significant contributor to financial crime.

Rate this article: 
Average: 1 (1 vote)

There are 5 Comments

In a report released Jan. 16th, iSight Partners identified the tool as Trojan.POSRAM, which it described as software that can find, store and transmit credit card and PIN numbers from POS systems.
The Trojan is being used in a "persistent, wide ranging, and sophisticated" cyber campaign dubbed KAPTOXA targeting "many operators" of POS systems, the company warned. Some affected companies may not yet know they've been compromised or have already lost data, the iSight report noted. It has not been announced how the Trojan was installed in nearly 1,800 store POS systems. The Commenter suspects a central server compromise, possibly by or with the help of an insider, using software push techology used to update the store servers.

Hackers had stolen a trove of data from Target PoS/ Servers. About 110 million customer card data and pin. Target customers exposed could still grow further like Adobe. Another major retailer, Neiman Marcus was next to be breached. TargetÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣s customer sales have been noticeably hit. The far reaching ramifications is that data theft has reached far beyond the retailers. Card companies and banks have been issuing fraud warnings to their customers and providing new cards and accounts as a precaution. With the data available from the Target fraud in black market, there is fifty fold increase in high-value stolen card transactions on black market websites. In the case of Adobe, payment card and personal data theft rose from 2.9 million customers to about 40 million eventually or more ? The question is can a enterprise recover from such an attack ? Is data breach recovery feasible? & To what extent? Why arenÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣t enterprises realizing this potential threat?

<p>The hackers were able to get credentials for Target's network stolen from Fazio Mechanical Services, a heating, ventilation, and air conditioning (HVAC) company, according to independent security reporter Brian Krebs. They were first used to access Target's network on November 15, 2013. Fazio President Ross Fazio told Krebs that the US Secret Service, which customarily investigates these kinds of cases, visited his company's offices in Sharpsburg, Penn., but that he wasn't there during the visit. A fraud analyst with Gartner estimated to Krebs that Target could be forced to pay up to $420 million to cover costs associated with the breach, including noncompliance with credit card network standards, banks reissuing cards, legal fees, credit monitoring, and other costs. Those costs apparently don't include an upgrade to the more secure chip-and-pin credit cards and card readers</p>