The attacks on both Target and Neiman Marcus highlight the growing vulnerabilities in attacks on computer systems by determined and focused hackers. As Jay Foley from the ID Theft Info Source has said numerous times, “Whatever program a security specialist can develop there is another IT expert creating a malware program to bring it down.”
The Jan. 12 announcement from Neiman Marcus about their data breach was expected from certain security experts who have been talking behind closed doors. On Jan. 13, Avivah Litan, a security analyst at Gartner, confirmed that she has talked at least two people with specific knowledge that hackers had hit several undisclosed retailers prior to Thanksgiving, perhaps testing malware programs before hitting Target.
"They had developed very specific point-of-sale (POS) malware ... I was told it was the exact same piece of malware, and since November we've been told big retailer breaches were going on," Litan explained.
Retail networks, in general, saw more malicious activity in the second half of the year, according to BitSight, whose network of sensors gathers botnet, spam, malware, and other security risk communication and maps it to specific organizations' networks.
"Since the details of these breaches have not been fully revealed, we do not know if the activity observed by BitSight was indeed the cause of the data loss. BitSight looks only at externally available data and has no access to internal network data. While we did observe increased activity during the time the breaches occurred at Target and Neiman Marcus, these companies were certainly not the worst performers in the retail sector," Sonali Shah, vice president of product at BitSight wrote in a blog post. "SecurityRatings for other companies in this industry are lower; leaving us wondering which retailer will be hit next."
POS systems often have Internet and email access, leaving them open to attack from the outside. In other words, an employee receiving an email with an attached virus could infect the entire system, explained Jay Foley during an interview on Jan. 14.
Major card issuers tried to alert retailers about expected cybercrime activity. Last year VISA sent out several warnings about potential POS malware attacks and detailed security steps to take. US-CERT sent out an advisory warning of an increase in POS attacks on Jan. 2 with this explanation. "Therefore malicious links or attachments in emails as well as malicious websites can be accessed and malware may subsequently be downloaded by an end user of a POS system.”
There is plenty of finger-pointing and speculation as to possible solutions. Litan blames the failure of card issuers to change to smart chips in credit cards instead of magnetic strips. Smart chip technology in cards has been adopted by many other countries around the world.
David Burg from PricewaterhouseCoopers believes that part of the problem is the desire of consumers to use mobile devices and other apps to connect with various companies. “What you have is an attack surface that keeps increasing in size and complexity, making it very hard to secure,” Burg explained.
What will the future bring? “More Target-sized security breaches will happen if banks and retail stores don't start working together to further protect customers' data,” JPMorgan Chase CEO Jamie Dimon said Tuesday, Jan. 14.
Dimon, who had not publicly commented on Target's breach until Jan. 14, said he expects that banks will issue cards with more security features on them in the future. "This might be a chance for retailers and banks, for once, to work together as opposed to suing each other like we've been doing the last decade," Dimon said.