Incident Response, Malware, TDR, Vulnerability Management

Target CEO confirms malware on POS machines, talks chip cards

Target CEO Gregg Steinhafel confirmed in a CNBC interview on Monday that malware introduced on point-of-sale devices is what enabled thieves to steal 40 million cards, CVV numbers and encrypted PIN codes, as well as personally identifiable information (PII) on 70 million shoppers, in a roughly three-week-long data breach.

“We don't know the full extent of what transpired, but what we do know was there was malware installed on our point-of-sale registers,” Steinhafel said. “We removed that malware so that we could provide a safe and secure shopping environment.” 

Target has taken other actions to protect its customers too, Steinhafel said, such as taking down 13 phishing sites that were preying on confused shoppers.

The retail giant also made good on its promise to offer free credit monitoring and identity theft protection when, on Monday, impacted individuals were given the green light to begin the enrollment process for those services.

Steinhafel said he first learned that a data breach incident had transpired on Dec. 15, 2013, which was a day spent eliminating the malware and ensuring people were safe to shop in all Target locations the following day.

Officials initiated an investigation and began forensic work on Dec. 16, 2013, Steinhafel said, explaining the following day was spent setting up the call center and preparing store employees for customer queries. Target then prepared to notify the public and announced the breach on Dec. 19, 2013.

“We have seen almost no fraudulent activity on our Target REDcard,” Steinhafel said, explaining Target will offer zero liability to customers by paying for any fraudulent charges on cards as a result of the breach. “We have some very low-level activity on the legacy Target Visa card. That's the only place that we've seen anything to this point.”

Looking forward, Steinhafel said that he would like to see Target take a lead role in shifting the U.S. from cards that use vulnerable magnetic strips to cards that contain encrypted chips and follow the EMV global standard for chip cards.  

However, it is already an initiative that began gaining momentum in 2011 and is expected to really take off in October 2015, according to Randy Vanderhoof, executive director with the Smart Card Alliance.

Vanderhoof told on Monday that chip cards offer a bigger safety benefit because financial information is encrypted on the chip and can only be read when swiped through a card reader, which creates a unique one-time key only for that single transaction.

Conversely, information carried on magnetic strips is very accessible, and criminals who compromise that data can easily create cloned cards, Vanderhoof said.

“The use of EMV cards wouldn't have prevented a data breach, but it would have been less likely to have occurred because there would be no value to be gotten from stealing the payment data,” Vanderhoof said. “They couldn't resell it to people to make counterfeit copies of the card.”

He added, “Devaluing information stored in the system – that's the best way to reduce threat of data breaches.”

Although EMV has become a standard in other parts of the world, there are several reasons it has not taken off in the U.S., Vanderhoof said. He explained that there is no U.S. regulatory entity mandating the shift and added that with 1.2 billion cards and 10 million point-of-sale machines in the country, a required change would be costly.

“The [EMV] system is proven to be extremely secure and it's been in the market for over 20 years,” Vanderhoof said. “There are 1.5 billion EMV cards in the market, worldwide. There's a lot of data and experience with the technology and it's been proven in other countries that it has made significant increase in reduction of fraud – in some countries by as much as 67 percent.”

Another reason the U.S. has not yet shifted to chip cards is because it was once a leader in secure payments markets, Vanderhoof said. Now that international fraud is tapering off, criminals have shifted their focus from previously vulnerable overseas financial corporations to U.S. institutions, he explained.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.