IT Weaknesses Paved the Way for Target Hackers
Changing default passwords is a basic security precaution, but Target's IT department is not alone in having failed to do so. "If you're in IT, you probably have a lot on your plate," said Frost & Sullivan's Michael Suby. "You probably have multiple systems you have to gain access to independently, and having sophisticated passwords in each system ... can significantly add to the difficulty."
The Target data breach exposed more than 100 million customers, riled up the United States' intelligence agencies, sparked an investigation by the Justice Department, involved the U.S. Department of Homeland Security and the FBI, triggered several congressional hearings, and led several banks to re-issue their credit cards.
The hacker has variously been identified as a 17-year-old Russian or one or more other cybercriminals.
The hack apparently consisted of a drive-by SQL injection -- one of the most common attack vectors -- that took advantage of a default password in a third party's IT management software that was used by Target.
There is no such thing as perfect security, but "It is becoming clear that senior management at Target have not embraced security holistically," Craig Speizle, president of the Online Trust Alliance, told the E-Commerce Times.
"All merchants and retailers need to develop defense models to help prevent, detect and isolate a breach incident. Based on public data, it appears Target failed in these efforts," Speizle said.
Target declined to comment for this story.
"We are in the midst of an active and ongoing investigation," spokesperson Molly Snyder told the E-Commerce Times.
How the Hack Went Down
The hackers used memory-scraping malware known as "Reedum," marketed in underground cybercriminal markets as "BlackPOS," according to press reports.
Once the malware enters a system, it can gather credit card information in real time.
The malware reportedly penetrated Target's systems through a default password -- BackupU$r -- in the Best1_user sysadmin account within BMC Software's Performance Assurance for Microsoft Servers application, according to Krebsonsecurity.com.
What's a BlackPOS?
BlackPOS is aimed at point-of-sale systems. Its creator has variously been reported to be a 17-year-old or a 23-year-old, both Russians.
It was used last March to compromise thousands of U.S. bank customers' payment cards. Back then, it was being offered in underground forums as "Dump Memory Grabber by Ree."
BlackPOS infects Windows POS systems that have card readers attached. Once it enters a POS system, it steals payment card Track 1 and Track 2 data, which is information stored on credit cards' magnetic strips. The data can be used to clone the cards.
The stolen data is then uploaded to a remote server by FTP.
Retailers' Security Travails
Sysadmins "either write passwords down or don't change the default ones -- or if they do change them, [they] pick a simple password that they use over and over again," said Michael Suby, a vice president of research at the Stratecast service of Frost & Sullivan.
"If somebody gets into one system, they will probably succeed in getting into multiple doors," he told the E-Commerce Times.
Retailers have relied on PCI compliance to protect credit card information and transactions, but they are vulnerable to advanced cyberthreats, noted Chris Fedde, president of Hexis Cyber Solutions.
Further, they have multiple points of vulnerability, including credit cards, POS terminals and widely distributed networks, he said.
Redressing the Problem
Retailers need to train employees to ensure they are not easy targets, and to implement network perimeter protection like that used in other industries, Fedde suggested.
A vulnerability that's "specifically applicable to Target-like attacks," he told the E-Commerce Times, "consists of security products that sit inside the network and are custom-designed to find and remove the advanced persistent threats now preying on retailers."