The Target security breach that left millions of debit and credit card holders at risk of becoming victims of fraud left experts pondering the question of how such a massive theft might have occurred.
Theories varied, but the scant details released by the retailer Thursday left some experts believing the criminals had to have some inside knowledge of the company's point-of-sale system in order to compromise it so effectively.
Either people inside the organization were involved or, "at the very least, (the thieves) had sophisticated knowledge and a clear understanding of the cardholder data flows, in order to pinpoint where to steal this very specific data and then exfiltrate it," Mark Bower, director of information protection solutions at Voltage Security, said.
Target reported Thursday that card data, including customer name, credit or debit card number and the card's expiration date and CVV code, had been stolen from 40 million accounts used for shopping between Nov. 27 and Dec. 15. The CVV code is the three-digit security number found on the back of cards.
The theft may have involved tampering with the machines used to swipe cards when making purchases, The Wall Street Journal reported. The information stolen, called track data, is stored in the metal strip on the back of cards.
Target declined to discuss the breach, which a spokeswoman described as "a very sophisticated crime." The Journal reported that the theft involved Target stores nationwide and as many as 40,000 card devices may have been affected. Target has 1,797 stores in the U.S.
Bower believes the thieves may have planted malware in the electronic cash register attached to the card reader. When a card was swiped, the malicious app would copy the data likely traveling in plain text from the reader.
Modern cash registers often run on Linux or Windows operating systems, so are as vulnerable to malware as regular computers. However, how the collected data got to the thieves' computers is a head-scratcher, because the registers were likely on a closed network that isn't accessible from the Internet.
Because of the difficulty of compromising so many point-of-sale systems, other experts believed the breach more likely occurred at the corporate data center where card data may have been sent from stores before being relayed to a card-processing company.
Lucas Zaichkowsky, enterprise defense architect at AccessData, said hackers may have compromised the corporate system and planted malware that copied data just before it entered the system.
If the network between the stores and corporate systems were closed, then the data may not have been encrypted, until it left the internal network, said Zaichkowsky, a former employee of card processor Mercury Payment Systems.
"There's only three, maybe five, of these really advanced financial attackers, and they're really good at breaking in and hacking and they understand credit-card processing inside and out," Zaichkowsky said.
The fact that CVV codes were stolen was a red flag for John Kindervag, analyst for Forrester Research, who said it was an indication that Target may have had a serious security flaw.
If CVV data were stored, then that would have been a violation of the Payment Card Industry Data Security Standard (PCI DSS) that financial institutions require of businesses accepting credit cards. In addition, if the data wasn't encrypted, then that could also run against the standard.
Because so much account data was stolen in such a short amount of time, Kindervag believes its more likely the thieves broke into a database somewhere on Target's network and grabbed the data, as opposed to intercepting it in transit on the network.
"When you see that many credit-card numbers breached in a single instance, that would lead me to believe that a credit-card database itself had been stolen," Kindervag said.
Avivah Litan, analyst for Gartner, said she was confident Target was in compliance with PCI DSS, but that doesn't mean the retailer was protected 100 percent.
"It's impossible to plug up all the holes when you're a retailer," Litan said.
She gave it a "50-50 chance" that either an insider with privileged access to Target's network was involved or the thieves obtained the credentials of a privileged user.
No matter the cause, the breach is likely to cost Target millions of dollars, Litan said. Credit-card issuers are likely to raise its merchant fee on every transaction and fine Target whether it was in compliance of PCI DSS or not. In addition, the retailer may have to pay back card issuers for any fraud resulting from the breach.
Read more about data protection in CSOonline's Data Protection section.