The Target Breach - Follow The Money EU
-
Upload
co3-systems -
Category
Business
-
view
548 -
download
2
description
Transcript of The Target Breach - Follow The Money EU
The Target Breach – Follow The Money
Page 2
Agenda
• Introductions• How The Money Flows• The Fraud Cycle: Who wins? Who Loses? • The Target Attack• The Aftermath
Page 3
Introductions: Today’s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Mark D. Rasch, Esq., Chief Privacy Officer, SAIC
Page 4
A Complete System for IR Management
PrepareImprove Organizational Readiness• Appoint team members• Fine tune response
SOPs• Link in legacy
applications• Run simulations (fire
drills, table tops)
MitigateDocument Results& Improve Performance• Generate reports for
management, auditors,and authorities
• Conduct post-mortem• Update SOPs• Track evidence• Evaluate historical performance• Educate the organization
AssessIdentify and Evaluate Incidents• Assign appropriate team
members• Evaluate precursors and
indicators• Track incidents, maintain logbook• Automatically prioritize activities
based on criticality• Log evidence• Generate assessment
ManageContain, Eradicate and Recover• Generate real-time IR plan• Coordinate team response• Choose appropriate containment
strategy• Isolate and remediate cause• Instruct evidence gathering and
handling
THE PROCESSMAKING MONEY MOVE
Page 6
Intro
• When a cardholder uses a credit card to purchase merchandise, the transaction moves through a process that involves authorization, clearing and settlement.
• Each step of the process involves an exchange of transaction data and money that must be settled and balanced.
• This process ends when the cardholder pays for the merchandise listed on his/her monthly statement.
Page 7
Dramatis Persona
• Cardholder – The consumer who owns the card.
• Merchant – An entity that contracts with an Acquiring Processor to originate transactions.
• Acquiring Processor – An entity that communicates to Visa to gain approvals to complete cardholder transactions. Processor is an acquiring processor.
• Visa - The largest association member. Visa is the largest payment system, enabling 14,000 financial institutions to process over $1 trillion in annual transaction volume.
• Issuing Bank – The financial institution who issues the credit card. For example, CapitalOne, Chase, Wells Fargo.
Page 8
Other Parties (who can I blame?)
• Software vendor – creates and/or maintains general software• CRM vendors and contractors – hired by merchant to maintain
Customer Relations Management (CRM) data which feeds into POS terminal
• POS Terminal Vendor – supplier of POS terminals, related software, maintenance and support
• PCI/DSS-PA/DSS Assessor – assesses and certifies compliance with PCI DSS standards
• IT Security Staff/Consultants – conducted pen tests, other assessments
• IT Audit (internal/external)• Third party vendors with access to Target network (HVAC)• Don’t forget insurers!
Page 9
The Holy Grail
• Hacker wants to get the unencrypted, plain text copies of the magstripe, credit card data
• With PIN for Debit Cards• With CVV’s• With Personal Information• How to do it?
• Steal aggregated data (stored)• Aggregate stolen data.• Combination
• Data is unencrypted only briefly
THE FRAUD CYCLE
WINNERS AND LOSERS
Page 11
Fraud Flow
$Issuer issues cc to consumer – not secure because of cost
Consumer fails to protect cc because of zero liability
Consumer uses cc at Target store
Consumer swipes card at POS
Hacker steal number and sells
Hackers post stolen credit cards on multiple “carder” forums around the world. The card numbers are purchased and sold within minutes/hours of their having been stolen
Carders use machines to create new “bogus” credit cards
Carders distribute these bogus cards worldwide
Carder “mules” use the bogus cards at ATM’s or stores worldwide
Mules purchase goods (or services) online or offline
The purloined products are sold on online auction sites
Some of the proceeds used to finance new hacks
Page 12
Losers
• Issuer – reissue millions of card, call centers 24/7 at Christmas
• Consumer – loss of confidence, anxiety, monitoring, inconvenience – possible $50 loss
• Target – massive dollar loss, cost of investigation, PCI DSS “fines,” AG investigations, loss of reputation, loss of confidence
• Target Stockholders – loss of share price (short and long term)
• POS Vendor/Processor – Possible liability (but look at contracts)
• Third party merchants – out sales, cardmember “present” vs. cardmember “not present” transactions.
• Manufacturers – lost sales because of fraudulent purchases• Insurers – indemnify each of these parties• Web/E-commerce merchants – fraudulent sales• PCI DSS Certification entity
Page 13
SEC Disclosure
• Target stock price (6 month)
• TJX (5 year)
• Heartland Payment (5 year)
Page 14
Market Reaction?
• May 19, 2014 • Bloomberg Poll
• 7 percent of shoppers plan to reduce spending Target next year
• 85 percent expect to shop at Target about the same amount.
• 7 percent will shop more• 1 percent offered no opinion.• Star Tribune (MN) found similar results in Minnesota poll.
Page 15
Target Class Actions
More than 90 lawsuits have been filed against Target. Consolidated class action litigation. Negligence and breach of contract (mostly)
Page 16
Trustmark/Trustwave Litigation
• March/April 2014• Trustmark National Bank (NY) and Green Bank NA
(Houston) were card issuers to consumers• Some of their customers’ cards were used at Target, and
thereafter used fraudulently. Had to be reissued by Trustmark and Green.
• Trustmark and Green sued Target AND Target’s PCI assessor/monitor Trustwave
• Possible third party liability for assessors?• Case voluntarily dismissed so no precedent.
Page 17
Winners
• Verizon business• FBI/USSS• Experian• Data breach notification companies• WalMart or competitors• Hackers!• Next Gen Payment System vendors• Security Vendors/Consultants• Forensic investigators• Brian Krebs• Cyber-insurance sellers• Lawyers
Page 18
Finger Pointing – Target vs. Issuers
• Target – it’s credit card issuer’s fault for having insecure “magstripe” credit cards (to save infrastructure costs). Target tried to push “Chip & PIN” cards but had resistance from banks. Upgrade Target alone to Chip & PIN = $100 million.
• Banks – it’s merchant’s fault because of faulty security and trust models – PCI DSS violations.
• In 2012 banks bore 63% of fraudulent losses; Merchants 37%*
• Bank losses from counterfeit cards; Merchant loses from (CNP) transactions on the Web, at a call center or through mail order.
• BUT – goal is NOT to prevent/reduce fraud! Goal is to enhance consumer confidence.
* (Source: Nilson Report, August 2013)
POLL
How did Target handle their breach response?
THE ATTACKWillie Sutton was right..
Page 21
PIN Weaknesses
• 4 digit PIN = 10k+ possible combinations (good)
• But > 10% of random PINs = 1234. Expanding a bit, 1234, 0000, and 1111 = 20%
• 26.83% of passwords can be cracked using the top 20 combinations.
• Birthday years are big. The 1900 PINS--1986, 1960, 1991, and so on--are extremely popular, with PINs from later in the century used the most.
• 17.8% = couplets, such as 7878, 8181• And don’t forget 2580
Page 22
Skimmers
• Other ways to get physical attack• Collects, stores and transmits
• Magstripe data• Unencrypted PIN data
• Easy to install but needs physical access to device
• Can transmit data by Bluetooth, TCP/IP or store and dump
• New devices look exactly like regular pin pads, card slots
THE TARGET ATTACK
TWAS SOME WEEKS BEFORE CHRISTMAS…
Page 24
Target Timeline
DOJ Contacts Target to inform
them of the breach
Target meets with DOJ USSS
Target retains investigators
More malware removed from 25
disconnected terminals
Target notifies payment processors and card brands – begins malware
removal
Public breach notification
Hackers break in using credentials from PA HVAC
contractor
Page 25
More Timeline (Bloomberg)
Page 26
FireEye (now includes Mandiant)
• Target used FireEye monitoring• Malware detection tool• Target team monitoring from Bangalore reporting to Corp
HQ in Minneapolis. • Saturday, Nov. 30 - Hackers infiltrated Target network but
not yet removed data.• Uploaded exfiltration malware to move stolen credit card
numbers—first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia
• FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then …
• NOTHING HAPPENED
Page 27
What We THINK We Know – The Vulnerability
• Attack included POS Malware
• "Kaptoxa" ("potatoe" - in russian slang), renamed "DUMP MEMORY GRABBER by Ree[4]"
• "BlackPOS"("ree4") has sold more then 40 builds of BlackPOS to cybercriminals from Eastern Europe and other countries, including the owners of underground credit cards shops such as ".rescator", "Track2.name", "Privateservices.biz" and many others.
• BlackPOS/Kartoxa versions and mods sold on black market in source code
Page 28
The Weakest Link
• Hackers broke into Target’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.• Why did HVAC contractor have/need
network credentials?• Why was this linked to CRM/Payment
database?• What vulnerability let hackers in to
Fazio’s computers?
Page 29
Timeline
• Nov. 15 (Thanksgiving) and Nov. 28 (day before Black Friday), hackers upload RAM scraping software to small number of POS terminals at Target.
• Hackers test POS hack to make sure it works.• Nov. 30 – expand to majority of POS devices.• Nov. 30 – collect from live transactions.• Nov. 30 – December 15 – collect and dump –
• FTP from Russia?• Dump to hacked computer in Miami• Hacked drop server in Brazil.
Page 30
Anatomy of a Carder Network
• Multiple Parts – Multiple Actors• Trojan/Malware design• Access/Hack• Malware injection – social network?• Exploitation/harvesting• Acquisition of data and selling of data• Conversion of data to
cards/goods/services• Conversion of goods/services to money• Distribution of money
Page 31
Curiosities of Target Hack
• Obtained PIN – suggest hack at POS
• BUT – obtained e-mail addresses – suggest at CRM
• Hacked tens of millions – suggest aggregated data
• BUT attack profile suggests individual POS attacked
• Targeted to Target’s software BUT
• Multiple entities compromised
Page 32
Breach Aftermath
• Breach affected two types of data: • payment card data of 40 million who shopped at Target US
Stores from November 27 through December 18• personal data (name, mailing address, phone number or
email address) of 70 million people. • Hacker stole a vendor’s credentials to access Target
system • Placed malware on POS terminals. • Designed to capture payment card data from the magnetic
strip of credit and debit cards prior to encryption within Target system.
• Malware also captured encrypted PIN data.
Page 33
Breach Aftermath
• Target CEO Gregg Steinhafel resigned. No Bonus or Short-Term Cash Incentive
• Target CIO Beth Jacob (CIO since 2008) resigned. • Stock Price Down• Consumer Confidence Down• More than 90 lawsuits have been filed against Target• Target spent $61 million through Feb. 1 responding to the
breach• Target’s profit for the holiday shopping period fell 46 percent
from the same quarter the year before; the number of transactions suffered its biggest decline since the retailer began reporting the statistic in 2008.
Page 34
RILA Information Sharing
• Retailers launched the Retail Cyber Intelligence Sharing Center
• American Eagle Outfitters, Gap Inc., J. C. Penney Co., Lowe’s, Nike, Safeway, Target, VF Corp. and Walgreen Co. WAG +3.04% are participating in the initiative, according to Retail Industry Leaders Association.
• No word on whether Wal-Mart will participate
Page 35
Target Security
• SOC manager, Brian Bobo, departed the company in October, leaving a crucial post vacant.
• Alerts sent from FireEye, not responded to;• Symantec Endpoint Protection, identified
suspicious behavior over several days around Thanksgiving—pointing to the same server identified by the FireEye alert
• Malware disguised with name “BladeLogic”
Page 36
Malware Passwords
• Crysis1089. Xbox gamer’s name and October 1989 -- Ukrainian independence day
• Rescator. Pirate in 1967 French film Indomptable Angélique,
• Ukrainian trafficker in stolen credit card numbers. • Cheapdumps.org• Lampeduza.la
• Names associated with Laos, Somalia, and the former Soviet Union but
• Operating in Odessa.
Page 37
Rescator.so
• Sells exploit code• Sells stolen cards (bulk discount in thousands). • Filter by
• Issuing bank• Type of card (ATM, American Express Blue, Visa, etc.).• Expiration date, • Last four digits,• City • Cost - $6 (prepaid gift card) to $200 (American Express Platinum)
• Accepts Bitcoin and Western Union - Return policy!• March 2014 – Rescator hacked, logins, passwords, and
payment information of carders stolen!
Page 38
Exfiltration
• Malware designed to send data automatically to three different U.S. staging points,
• Malware had user names and passwords for the thieves’ staging servers (Ashburn, Va., Provo, Utah, and Los Angeles) embedded in the code
• Exfil happened only between the hours of 10 a.m. and 6 p.m. Central Standard Time. (regular working-hours traffic).
• 11 gigabytes of data from staging points to Moscow-based hosting service called vpsville.ru.
Page 39
Target Responses
1. End-to-end review of security of network.
2. Increased fraud detection for Target REDcard customers.
3. Reissuing new Target credit or debit cards to any customer who requests one.
4. Offering one year of free credit monitoring and identity theft protection to anyone who has ever shopped at our U.S. Target stores. Includes free credit report, daily credit monitoring, identity theft insurance and unlimited access to personalized assistance from fraud resolution agent.
5. Told customers to monitor accounts, and that there is zero liability.
6. Adding PIN and Chip for Target REDcards and POS.
7. $5MM for BBB and National Cyber Security Alliance and the National Cyber-Forensics & Training Alliance to advance public education around cybersecurity and the dangers of consumer scams.
8. Launch a retail industry Cybersecurity and Data Privacy Initiative that will be focused on informing public dialogue and enhancing practices related to cybersecurity, improved payment security and consumer privacy.
POLLWhat could Target have done better?
THE AFTERMATH
SEND IN THE LAWYERS…
Page 42
Chip and Pin?
• Hack-resistant chip on card• Machine readable – encrypted• Requires PIN to activate• More secure than magstripe?• Chip must be read/PIN must be
entered• Harder to recreate encrypted
chip.• But can still do online
purchases with stolen card• Default is to magstripe
Page 43
EVM (Europay, Mastercard, VISA) Chip Adoption
Page 44
Enforcement Actions
• Federal Trade Commission – Section 5 of FTC Act• Enforce privacy policies and challenge data security
practices that cause substantial consumer injury• State Attorney General – State Notification Statutes• Connecticut: “Failure to comply . . . shall constitute an unfair
trade practice . . .”• Virginia: “The Attorney General may bring an action to
address violations.” Moreover, “nothing in this section shall limit an individual from recovering direct economic damages”.
• Litigation in federal or state courts
QUESTIONS
Page 46
Next Up
• Our next EU webinar• Details coming soon
• FIRST Annual Conference• June 22-27, Boston, MA
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages for privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and very well designed.”
PONEMON INSTITUTE
Mark D. Rasch, [email protected](301) 547-6925
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013