By the numbers alone, basically everyone in the country has been the victim of at least one data breach in the past year, if not more. 106 million Americans had their card data stolen from Target and Home Depot alone, to say nothing of the data breaches at Jimmy John’s, Dairy Queen, P.F. Chang’s, UPS, Albertsons, Jewel-Osco, ACME, Shaw’s, Sally Beauty Supply, Goodwill, some Marriott hotels, Neiman Marcus, and Michael’s craft stores. And that isn’t even considering other breaches that were too small to make national headlines, or that simply haven’t been discovered yet.
Websites, online services, and databases get hacked too, of course, as Chase,Adobe, and Sony could unhappily tell you. But hacks in good old-fashioned brick-and-mortar retail stores have skyrocketed in recent years. And it’s not just about how often they happen; it’s about how widespread they are able to become.
So if you, as you replace your credit card for the third time in a year, are tempted to shout to the sky, “Why?! Why does this keep happening? Make it stop!,” then read on.
As with any crime, there are three main elements to massive retail hacks: means, motive, and opportunity.
The means? You need three things: a computer, an internet connection, and an education, either formal or informal, in how to use them. It’s a big world, with a lot of people in it who have plenty of coding know-how and both the desire and ability to break — or break into — something.
So why use those powers for evil, instead of for good? That’s a driving motive easy enough for anyone to understand: if you are good at it, crime pays. It pays really, really well.
Indeed, the annual Verizon Data Breach Investigations Report (2014 version available here), finds that although ideology and espionage are both also drivers, the vast majority of attacks, hacks, and breaches are motivated by plain old financial gain.
2008: Heartland Payment Systems
• 130 million cards
2007: TJX Companies
• 94 million cards
2014: Home Depot
• 56 million cards
• 40 million cards (110 million total records)
2005: CardSystems Solutions
• 40 million cards
Security expert Brian Krebs — the man who discovered and broke the news about both the Target and Home Depot hacks, among others — has delved into the markets where stolen card numbers are resold. When the cards stolen from Target were new, he found, they went for between $26.60 and $44.80 each. By February, prices were as low as $8 because the card numbers were less likely still to be valid.
Krebs later estimated that somewhere around 2%-4% of the card numbers stolen from Target were successfully sold. Out of 40 million cards, that’s somewhere between 800,000 and 1.6 million sales. Even if you assume none of those sold for more than $8, that’s still a total of between $6.4 and $12.8 million.
That’s the lowest, most conservative estimate. More likely, the group who sold those credit card numbers netted something like $15-$20 million for them all, if not far more.
Not a bad haul for a few months’ work done from the comfort of a desk chair. And certainly a much better risk-benefit proposition than walking into a bank with a gun and a note.
And opportunity? Well, that’s everywhere. In the specific sense, many stores’ payment systems are not as secure as they should be (more about that in a moment) and since they can be hacked, they will be.
But in the broader sense, globalization, and the worldwide reach of the internet, also help provide the opportunity. The malware is often designed and sold by Russian hackers, who are able easily to target American stores, and can then sell the stolen credit cards to buyers worldwide.
Criminals can reach across national borders more quickly than retailers and law enforcement can. That’s not to say that the FBI can’t catch crooks who make their home bases abroad, because they can. But catching Americans is easier.
There are also some political underpinnings. The individuals and groups behind the Target and Home Depot hacks, specifically, have some anti-western, anti-American leanings and are happy to target American capitalism for political reasons as well as the practical ones.
The window of opportunity, though, may eventually be closing. The United States is poised finally to begin joining the rest of the world with smarter credit card technology, that’s less susceptible to POS attacks, in 2015 and beyond.
From a high level, the process of stealing 50 million credit card numbers is surprisingly straightforward.
But of course, the devil is in the details.
• Cash registers don’t transmit raw credit card data to banks. It’s encrypted before being sent out.
• But the register may very briefly hold on to that unencrypted data in its memory.
• If hackers can access the RAM of these vulnerable registers, they may be able to steal that unencrypted data for their own use.
The 2014 Verizon report does note a “renaissance” of POS malware attacks in the past year, and that’s where the big headline-grabbing hacks came from.
The malware that was used against both Target and Home Depot is called BlackPOS. IT security experts discussed the highly technical ins and outs with Krebs earlier this year, but the gist is that BlackPOS is a “RAM scraper” that manages to grab unencrypted information out of a terminal’s memory. It’s not the first — RAM-scraping is an old idea — but it is, for now, the biggest.
When we go shopping, most of us just swipe or tap our cards at the register and don’t really think about it much more than that. But a point-of-sale (POS) system is, like so many other things, basically just a small and specialized computer. It has the part you physically slide your card through, which is the hardware. And it has the programmed parts that tell the hardware what to do and how to do it, and that capture information from the magnetic strip in your card and turn that information into payment: the software.
The malware used in the retail hacks is basically a giant virtual skimmer: it captures information from the payment card at the moment you swipe, and sends that information flitting away through the internet into the bad guys’ virtual pocket.
The vendors who create payment systems aren’t stupid; they (are supposed to) adhere to a set of data security standards that requires payment information to be encrypted end-to-end. That is, data is encrypted when it’s transmitted or received. But that leaves two vulnerable moments: when the data is captured before being transmitted, and when the data is decrypted for processing after being received.
A payment system, like most other computer systems, has short-term system memory that it uses to hold information while it processes. The RAM-scraping malware installed on POS systems reaches into that memory in the instant the card has been swiped, and grabs the shadow of the unencrypted payment information in the split second before it vanishes.
Retailers and payment vendors do of course use industrial-strength virus and malware scanners to identify and remove threats from their systems. But the bad guys who make the malware are often one step ahead. In the case of BlackPOS, Krebs explains, the version of the software that hit Home Depot was able to disguise itself as part of that very antivirus program.
How They Get In
Almost any system has a way to break in.
In the case of Target, hackers didn’t steal access information from anyone at Target. Instead, they focused on a weaker link: a third-party vendor. That vendor, a heating and air conditioning company, had a connection to Target’s networks that they used for “for electronic billing, contract submission and project management,” as they explained in a statement last February.
Home Depot, meanwhile, did leave themselves vulnerable, according to former IT employees. After talking with those employees, the New York Times reports that in 2012 and 2013, Home Depot was still using security software from 2007-2008, and also not thoroughly scanning their network for suspicious activity. By the time the store finally took strong action, in the wake of the Target data breach, it was too late: the hack was already in progress.
Two years ago, in 2012, the company did finally hire a new IT security architect to deal with their network issues, and they promoted him in 2013. However, in April of this year he was convicted of sabotaging network security at his previous employer and sentenced to four years in federal prison. So… not exactly the most reliable guy to fix your glaring network security holes.
In fact, people are the weakest link in pretty much any network security setup. The infamous annual hacker conference, DEFCON, has for several years run a very successful social engineering competition, in which the hackers use simple web research and phone calls to get all of the information they need out of unsuspecting company employees.
In 2012, for example, the contest’s winner successfully got a Walmart store manager to tell him everything he would need to know in order to infiltrate the store’s whole network, which would give a less ethical hacker all the access he needed to work some malware into the system. And while the Walmart call was the winner, for collecting the most “flags” (pieces of vital information), participants calling Target, FedEx, Verizon, Cisco, AT&T, Hewlett-Packard, and UPS were also able to extract a significant amount of information within the twenty-minute time limit.
And of course, there’s the good old-fashioned trick of stealing login credentials directly, either through phishing expeditions or through website hacks. That’s why we’re all supposed to use different passwords for every site and network. That way when your password for a hobbyist forum is stolen, the thieves who stole and possibly sell it won’t get anywhere trying to use it on other sites and networks you access — both personal and professional.
Home Depot employs over 340,000 people. Target has 366,000. And Walmart employs over 1.3 million just in the U.S. (over 2 million worldwide). With a pool of tens or hundreds of thousands of potential targets at the country’s biggest corporations, chances are someone, somewhere will make a critical error and let the wrong information slip.
So how does a pile of thousands or millions of stolen credit card numbers become cold, hard cash?
As a computer security expert explained to USA Today last week, there’s a whole supply chain for stolen cards. So the hackers are the manufacturers and the wholesalers. Then come middlemen.
The people who buy black-market credit card numbers use them to make cloned cards. The equipment to take a bunch of plastic blanks and throw embossed numbers and magnetic strips onto them costs about $500 — a very low barrier of entry. So the middlemen take their list of numbers and expiration dates and make passably valid cards.
(This is why chip-and-pin (EMV) card technology is less susceptible to POS hacking: because without the computer chip in the original card being physically present, no cloned card will work. Duplicating the information in the magnetic strip alone is not enough to create a working EMV card.)
Armed with a nice big stack of fake credit cards, the folks at the next level down in the operation get to work. They go out and buy things that can be resold for large amounts of cash. So there are plenty of big-screen TVs and Xboxes on the shopping list, as you might expect. But, USA Today explains, one of the most popular targets? Gift cards.
Pretty much any grocery or drug store these days has in it a display containing gift cards for dozens or hundreds of other stores. They are incredibly effective money-laundering tools: once there’s $100 on a gift card, it stays valid. It doesn’t matter where that hundred bucks came from or if the credit card used to fill the gift card is cancelled.
After that, the gift cards can either be kept and used, or — like big-ticket physical goods — resold for cash in hand.
Here’s a cheerful thought: there is absolutely nothing that you can do about this situation. Individual consumers are pretty much powerless to prevent retail hacks.
Give your statements a good strong look.
And do it several times per week. Remember balancing the checkbook? Approach your review with that mentality: look for any transactions, no matter how small, that you can’t identify.
If you see anything “off,” call your bank and report the fraud immediately. The sooner you report any fraudulent transactions, the less liability you havefor them.
Call your card-issuing bank.
Some banks proactively contact customers and/or issue new cards, after a major data breach makes headlines. If your bank doesn’t, call them! Tell them which data breach you got dinged in and that your number is out in the wild. They’ll probably offer to replace your card.
That free credit monitoring won’t help (but it probably won’t hurt, either).
It’s stage 2 of the public mea culpa every company goes through: offering a year of free credit report monitoring to affected consumers… even though credit report monitoring is completely useless for protection when just payment card info is stolen. And don’t forget to do your own free credit report monitoring as well.
That’s not to say that we shouldn’t all be aware of security best practices, and we’ve heard them all a thousand times: use good passwords. Change them often. Don’t re-use them. Enable two-factor authentication on all the things. Be smart about where you shop. Look for skimmers. Cover the PIN pad when you enter your code. Keep an eye on your surroundings. Don’t use sketchy-looking stand-alone ATMs. Check your credit and debit card statements regularly. Get your annual credit reports.
But almost every action an individual consumer can take is about mitigating or recovering from harm, not preventing it. And most of what we know how to do deals with online or mobile shopping, not traditional brick-and-mortar stores.
Whether it’s a mom-and-pop candy shop or the world’s largest Walmart, protecting point-of-sale transactions is something that retailers and payment processors have to work out on their end. We can’t do much except choose where (not) to shop.
So what is it retailers need to do differently?
The Verizon report concludes its section on point-of-sale hacks with some common-sense admonitions to retailers of every size. Among them: Restricting outside access to the network, enforcing strong password policies, forbidding the use of social activities on computers that also have sale functions, and using (and updating!) anti-virus software.
But although those are all good ideas and best practices, those tricks alone will not protect a nationwide retailer. Not by a long shot. For a national chain, the Verizon report has a few extra suggestions.
One: stores need to “debunk the flat network theory.” The POS network, the report suggests, should be treated completely separately from the corporate network. That way someone who gets into the latter can’t run rampant in the former.
Two: retailers really need to be looking for suspicious network activity. Watch the traffic! If there is network traffic going out when it shouldn’t be, from a place where it shouldn’t be, that’s a sign that there is a problem.
And three: what’s good for individuals is good for business. The report recommends that companies really should develop and enable two-factor authentication processes for both internal users and authorized third parties. If the hacker somewhere in Eastern Europe doesn’t have the cell phone that a network access request texted a passcode to, that would prevent a host of potential problems right there.
The combination of internal protections like two-factor authentication, combined with smarter, more hack-proof EMV cards, will almost certainly help companies and consumers both by dramatically cutting down on the number of store hacks and the amount of physical credit card fraud we see.
But in the meantime, we will almost certainly keep hearing of small- and medium-scale hacks pretty much every week. It’s all but inevitable: there are literally more hacks, breaches, and “incidents” happening every minute. And the next giant breach on the scale of Target or Home Depot? That one’s probably already underway somewhere, too.