The debit and credit card security breach that occurred at Target (NYSE:TGT) over the holiday shopping season has become a firestorm, as the big retailer revealed that 40 million shoppers possibly were victimized by credit fraudsters. From there, things only got worse: Target quickly updated the number of accounts hacked to 110 million. A few days ago, retailer Neiman Marcus acknowledged having been victimized, too -- and experts expect several more merchants to come forward with the same story before long.
The U.S. government has released information culled from its investigation of the incident to retailers in the hopes of finding other compromised point-of-sale, or POS, systems, and possibly averting other attacks. Included in the release are tips on rooting out such malware, which can evade detection by standard anti-malware programs.
Hopefully this helps, but advance knowledge of a problem is apparently not enough to prevent such a debacle. Payments giant Visa (NYSE:V) had warned retailers -- including Target -- on two separate occasions last year about just this sort of problem, supplying malware signatures and several suggestions to avoid intrusion. With this type of heads-up, why did the breach still occur?
Malware nearly invisible to protection programs
The POS malware Visa described in April and August of last year was the same kind that caused the recent upheaval: memory-scraping programs that work themselves into a merchant's Windows-based POS network, gleaning account data from the magnetic strip on debit and credit cards. The malware parses information during the time account data is stored in the system's random access memory before payment authorization is completed.
POS systems are becoming increasingly popular hack targets, and the government report notes that the specific type of malware used is virtually invisible to anti-virus and anti-malware programs, so Target and other retailers may not have been able to detect it. The manner in which the malware infiltrated the system in the first place, however, appears to be an area where retailers dropped the ball.
IntelCrawler, a security firm that originally identified the creator of the malware code as a Russian teenager, notes that the hackers who obtained the program entered the retailers' systems remotely. How? Simply by repeatedly trying different passwords on remote POS servers until they got in. Apparently, uncomplicated passwords are the norm on such servers, and access is not very strict -- even though they can contain boatloads of data from several store locations.
Charges of negligence
Target is facing a rash of lawsuits claiming that the store was lax in protecting its customer information from hackers, as well as taking too long to publicize the data breach. Banks such as JPMorgan Chase (NYSE:JPM) are also likely to sue, particularly if Target is found to have been negligent in its security protocol. Banks could be liable for in-person transactions and will probably want to be refunded the cost of replacing compromised cards. JPMorgan has admitted to replacing 2 million cards affected by the breach.
Visa could levy fines against Target and its payment partners as well, much as it did when TJX experienced a security breach nearly 10 years ago. Lawmakers have raised a ruckus over the issue, with several Senate Democrats requesting a hearing by the Financial Services Committee.
Time will tell whether Target -- and possibly other retailers -- could have been more vigilant in foiling the attacks. If having advance knowledge of a possible assault isn't sufficient for prevention, however, it's likely that these particular types of attacks may have become altogether unstoppable.