Skip to comments.The Target Breach & Why You Should Care (Hint: Itís Your Money)[Ever shopped at Target?]
Posted on 04/10/2014 2:19:20 AM PDT by 2ndDivisionVet
Without personally knowing any cyber criminals (I think using hackers is unfair to well, hackers), we can probably assume they are not very different from other criminals in that they do what they do for a few basic reasons:
Ego: defacing websites to gain street cred
Ideology: wreaking havoc to make political statements or wage asymmetric warfare
Money: engaging in good old-fashioned criminal capitalism (to the tune of $3 trillion)
Its this third motivation that is in the news the most, and its not because these criminals are infiltrating banks and making off with the loot. In fact its far from that. Instead they are grabbing your information, some of which is seemingly innocent, but when they can start piecing it together they are ready to pounce on your identity. This should force us to start thinking of data breaches not simply as an invasion of privacy, but as the first step toward financial fraud. The network data breach feeds the financial fraudthe breach is simply the means to gain the pieces of data needed to commit the more profitable crimes of identity theft and fraud. That is where the major harm comes in for individuals.
How a Data Breach Evolves Into Financial Fraud
We only need to connect the dots of the recent Target breach (or the Niemen Marcus breach or any other similar breach) to see this clear as day. As reported by Brian Krebs (emphasis added), the attackers broke in to Target's systems and installed malicious software:
...according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Targets internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices. (Krebs on Security, 1/15/14)
So far, this seems like a traditional network security breach that most citizens care little about (or even understand).
However, that data hoovering described by Krebs resulted in the theft of credit card and personal data on Target's customers:
...a data breach discovered [at Target] last month exposed the names, mailing addresses, phone number and email addresses for up to 70 million individuals. The disclosure comes roughly three weeks after the company acknowledged that hackers had broken in late last year and stolen approximately 40 million customer debit and credit card records. (Krebs on Security, 1/10/14)
Connecting the dots further, we learn this:
Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card. (Krebs on Security, 12/20/13)
Do the math and were looking at potential raw sales in the range of $20M$100M per batch for a grand total of up to $4 billion. Thats serious money, and thats just on the immediate sale of the cards. If the attackers can match the card data with the personal data, the potential for additional identity theft could push that upper limit far higher, not to mention result in serious financial and personal pain for the individual consumer.
The True Victim is You, Not The Retailer So Take Action NOW
And thats where we see the biggest impact of these attacks. The large retailers and banks, with some difficulty, can absorb these losses and make it through the publicity storm. However, the personal and financial data stolen does not belong to the big corporations. It belongs to average, hard-working people like you and me whose lives are often ruined or severely disrupted by these crimes.
Unfortunately, much of the reporting has focused on the breach, not the data, so many people (like this writer at Forbes) think theyre safe if they didnt shop at Target in the last few months. Thats a potentially tragic error, since there are some reports that the stolen data goes back ten years or more. In reality, if youve ever shopped at Target, this could affect you. Some of you may be diligent enough to check your last few credit card statements. Thats a prudent thing to do, but if you want to really protect yourself, you would do well to take more proactive steps:
Change Passwords: While youre at it, get a password manager (such as Password Safe, KeePass, or use Apples built-in iCloud Keychain) and let it create a new random password for each site.
Replace Cards: Contact your credit and debit card companies to order all new cards with new numbers.
Monitor Credit Reports: If Target or your card issuer wont give it to you free, buy it yourselffrom all three major credit reporting agencies (Experian, TransUnion, and Equifax).
So, pop quiz. Is this a story about: (a) a network security problem or (b) an identity theft and fraud problem? The answer, of course, is (c) all of the above. The network breach was the means, not the motive, and certainly not the end. The attackers didnt deface Targets web site or cause damage to their internal systems, which would suggest an ego- or ideology-driven attack. On the contrary, they stayed intentionally hidden (likely for quite some time) while they stole financial and personal information. The ultimate crime (the goal of the attackers), then, was identity theft and fraud motivated by money.
Network breaches and identify theft are not separate crimes. They are the means and the end of the same crime. Consumers need to pay closer attention to news reports of these things and respond with prudent steps to protect themselves. Network security professionals, also, need to understand the connection and start taking a more holistic approach to security. Call it unified security or holistic defense or whatever you want, but we all need to start understanding the bigger picture in order to protect ourselves and make any headway against these profiteering criminals.
I used my debit card at a Target just before last Thanksgiving.
$100.00 in foreign charges showed up in March.
The bank shut my card down, issued a new debit, ATM and credit card.
They recommend using cash or the credit card now...no debit card. I did get the money back because the debit card has Visa fraud protection, but they had a direct link to my bank acct with the debit, which they won’t have with a stand alone credit card.
I’m still Leary and just use cash now, unless I buy on line, then it is the credit card, which I pay off every month like it was coming out of my acct like the debit card was.
Although there are Target stores in the areas where we shop, we never go into one of their stores. Not to my “political” liking.
As a result of the data breach at Michael’s, both my husband and I had to cancel a credit card and get a new one. In both of our cases, the credit card company caught on and prevented the fraudulent transactions from going through. A couple of years ago, I bought an iPad at Best Buy, and I think the employee who handled the transaction tried using my debit card to make on-line purchases; those fraudulent charges were also caught and stopped.
Any more, you have to remain vigilant. Check credit card and bank statements often, verify the transactions. Luckily you can access accounts on-line, so you don’t have to wait for statements. The cards have phone numbers on the back where you can call if something fishy shows up.
Tin Foil Alert here:
Recently, I got to thinking about the many similar security breaches that we have been hearing about lately, and I have a suspicion growing in my feeble brain.
There have been rumors for a while now that the Soros Administration is looking at ways to seize retirement accounts and savings for “wealth redistribution”. It occurred to me that all of these cyber attacks are deliberately being allowed so as to set the stage for everyone to blame such activity when the confiscation comes.
Yes, I have noticed that.
My brand-new Barclays card was compromised through the Michael’s breach, only 2 or 3 months after it was issued.