Cybercriminals timed their lastest superheist well. The Target Corporation announced on December 19 that data from more than 40 million credit and debit cards might have been stolen from holiday shoppers at its stores. It appears that the hacker’s software started redirecting information the day before Thanksgiving and continued for three weeks until detected on Dec. 15 by Target malware specialists. It is clear the group behind the attack wanted to take advantage of the large amount of holiday shoppers.
The breach appears to be ranking as the second-largest hack at a U.S. retailer. Currently only customers that shopped in person appear to be affected and not those who shopped on the company website.
"Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence," Gregg Steinhafel, chief executive officer of Target, said in the statement.
On Dec. 19 Target placed an alert on its website stating that the criminals had stolen customer names, payment card numbers, expiration dates and their CVV security codes.
Krebs on Security, a closely watched security industry blog broke the news on Dec. 18, one day before the Target announcement. His information indicated that nearly all of Target's 1,797 stores in the United States were affected. Krebs often gets early information about cybercrimes due to his contacts within industry and the underground cyber world.
Investigators believed the data was obtained via software installed on point-of-sales terminals used to swipe magnetic strips on payment cards. It is not yet clear how the attackers were able to compromise point-of-sales terminals at so many Target stores. However the degree of sophistication of the hacking indicates that a new level has been reached in malware attacks against merchants.
Normally, hackers attack databases where credit card information is stored, not through the register system. This means that customer information was probably sent directly from the store's mounted cash registers to the hackers themselves, probably due to malicious software.
Since the cybercriminals have all the magnetic strip information they can use the stolen information to make purchase items online, a fast and faceless process that can be done at any time. More than likely the card information will be used immediately but it also can be held months until consumers and merchants drop their guard. Card information is also a high-profit commodity when sold on underground websites to other criminals.
Security experts have been urging U.S. companies to create credit and debit cards that generate a different code each time they are used, called EMV standards. After Australia implemented EMV standards, fraudulent charges from counterfeit cards dropped by 29 percent in one year according to a report from the Australia Payments Clearing Association.
What should affected consumers do? Target urged any customers who suspect they are affected by the data breach to call 866-852-8680.
I also interviewed Jay Foley of ID Theft Info Source who has worked with thousands of credit card and identity theft victims. His advice is to either close any card used at a Target Store during those three weeks or monitor your account carefully for the next year for any suspicious purchases. While people may feel like their identities have been stolen, this is the easiest type of theft to fix, Foley explained. They don’t have access to your Social Security number and can’t more credit in your name. Only those cards used at Target are at risk and your credit card company will remove any fraudulent purchases made.
He added, “The biggest losers are the credit card companies and Target who will need to pay for any fraud on the card as well as a loss of consumer trust. Unfortunately we have entered a time when we will see more of these highly sophisticated hackings and breaches; ones that more than likely cannot be detected before they take place. The public and companies still need to take all advised precautions but some breaches will still occur.”