While you were enjoying the holidays, someone (or people) were laughing all the way to the bank with credit card numbers. It wasn’t until weeks later that it was discovered. Is this strange to you?
New information on how Target and Neiman Marcus were attacked have been recently released. But whether or not this has ended is still left to be seen. Michael’s crafts recently announced a breach as well, seemingly connected to the other two. This isn’t to frighten anyone, but truth be told, the only reason why these retail giants came clean was to protect their image. We’re glad they did! It also means positive implications are on the horizon as well (we hope). But if it could happen to the big dogs, then why can’t it happen to “mom-and-pop” shops?
First we need to understand how this happened to really understand if it can happen again. Target officials have confirmed that malware was found on the company’s point-of-sale systems and the attackers were able to scrape card and PIN data from the terminals just before it was encrypted. Malware, which most of us have experienced as webpages redirecting incorrectly, is what caused this fiasco, according to the latest reports from these two retailers. The data from the actual card swiper through each workstation to the store’s server is not encrypted. So it passes through their computers unencrypted, opening it up to be “seen” by a vigilant malware program ready to send the information back to the crooks.
If you’ve ever typed “Google.com” in your web browser and you are taken to another website, then you’ve experienced malware. Virus scans generally don’t pick up malware, unless you have a paid, souped-up version. Viruses spread and infect. Malware just does something malicious and doesn’t spread anywhere. You can download Malware removal programs for free (my favorite for Windows is the free version of Malwarebytes, downloaded here) and they will detect and remove this stuff in about a minute.
“While the forensic and criminal investigations are ongoing, we know that malicious software (malware) was clandestinely installed on our system. It appears that the malware actively collected or “scraped” credit card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have potentially been visible to the malware. To date, Visa, MasterCard and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently,” the statement said.
But there were actually two security breaches that happened, the first one most concerned me. The first breach happened when the crooks were able to load this malware into the target computer framework. They supposedly were able to attach it to a Target system update so that it was sent out with a routine update to all workstations. This is what has baffled most computer geniuses so far, and probably what could get the company in trouble. To be able to gain access in this type of way has serious implications for every company, assuming they had truly secured their system like they were supposed to.
The second breach was the actual loading of the malware package onto each workstation without being detected. It’s not clear if PCC compliance (rules that govern how companies have to protect your data) states that every workstation needs to be scanned by virus and malware scannners. PCI compiance will certainly need to be updated as a result of these breaches!
To make you feel a little better, pin numbers are encrypted at the actual card reader and is not unencrypted until it reaches the card processing company. Either way, the card number, expiration date and CCV2 codes were all in plain site.
Story written by: Mark McGinnis
Further reading on PCI compliance: http://www.computerworld.com/s/article/9245709/_After_Target_Neiman_Marcus_breaches_does_PCI_compliance_mean_anything_?taxonomyId=203&pageNumber=2