The attackers behind Target's credit card breach
also went after customers at other retailers around the country,
including high-end retailer Neiman Marcus. Maybe it's time to go back to
just using cash.
Shoppers already jittery after Target reported a credit card breach over the holiday season are now faced with the prospect that the attacks were far more widespread than originally thought. It appears Target wasn't the only retailer affected in this breach, as Neiman Marcus and at least three other retailers experienced similar incidents over the same time period, Reuters reported. Security experts have long warned that banks, credit card processors, and retailers are not taking the necessary steps to secure payment card data and personal information, leaving customers vulnerable to fraud and identity theft.
"The impact of the Target breach and other retailers in similar circumstances (and not yet fully disclosed) can have far reaching effects on consumer confidence and impact on the US economy unless steps are taken to address this vulnerability immediately," said Anup Ghosh, founder and CEO of security company Invincea.
More Victims FoundNeiman Marcus discovered its breach on Jan. 1, after receiving reports from a credit card processor about possible unauthorized charges on the accounts of people who had shopped at its stores, reported security writer Brian Krebs. The attack appears to be on a smaller scale, with fewer than one million cards compromised.
While Krebs was not sure whether this breach was related to the attack on Target, sources told Reuters the incidents used similar techniques and could be linked. Like Target, Neiman Marcus said only shoppers who used their cards in the store were affected, not online shoppers.
Target initially reported that 40 million shoppers who used their credit card at one of its retail outlets during the holiday shopping season were affected in a credit card breach. Last week, the CEO of Target acknowledged the breach was bigger than originally thought, as personal information of at least 70 million customers, including names, mailing addresses, telephone numbers, and email addresses were also stolen. There may be some overlap in customers between the initial 40 million and the later 70 million, but Target was unable to say how many were counted twice. Target also admitted that all US shoppers over 2013 were at risk, not just those that visited the store over the holiday season.
Questions, But No AnswersThe investigation is still in the early stages, so there are more questions than answers at this point. This presents a whole new set of challenges, security experts said.
Right now, the big question is, "Am I affected?" and it's hard to tell. Reuters said three other retailers were currently investigating, but had not publicly disclosed the breach at this time. It is also possible there were other, smaller, breaches earlier in 2013, which still have not been publicized.
"All retailers should err on the side of disclosing all consumers that are potentially affected while at the same time disclosing fully what they know about the breach and how it happened," Ghosh said.
Neiman Marcus said it is notifying customers who had fraudulent transactions posted to their accounts, but this leaves a lot of consumers who did shop at the stores wondering and waiting for bad news. It creates what an expert called "data security limbo," as users are aware of a breach but can't take any steps until they receive confirmation. Target also said it was notifying customers about personal information being stolen if an email address was on file.
This kind of selective notification opens up a window of opportunity for attackers to launch secondary attacks, said Angel Grant, director of anti-fraud solutions at RSA. Attackers can take advantage of the confusion to send out emails or even make phone calls to scam users into revealing their personal information and payment card details. Users need to be vigilant for follow-up phishing attempts in the wake of this breach.
Silence is DangerousWhile it's understandable to want to keep information close at hand until the investigation is complete, it doesn't help other retailers. Target is not discussing what happened, and Neiman Marcus is even more close-mouthed about the methods the attackers may have used. At the moment, Target has admitted its point-of-sale software was compromised, and Reuters cites sources who say the attackers used a RAM scraper, a type of malware which captures the temporary data in the computer's memory. There have been a surge in attacks using memory parsing malware recently, and Visa even issued alerts with technical information on how to thwart these types of attacks last year.
While it was not clear whether Target or other retailers had implemented any of the methods to defend against these attacks, sources told Reuters the attackers were much more sophisticated and would have been able to bypass those measures. Based on the fact that personal information was stolen, it was more than likely that Target's breach was "a more widespread compromise of Target's network than simply PoS machines," Ghosh said.
Retailers are likely investigating their networks and trying to figure out whether they have also been affected. This is where information sharing between retailers would be helpful.
As for you and me, maybe we should stick with cash for the time being. It is safer, and the only thing you have to worry about is pickpockets.
Shoppers already jittery after Target reported a credit card breach over the holiday season are now faced with the prospect that the attacks were far more widespread than originally thought. It appears Target wasn't the only retailer affected in this breach, as Neiman Marcus and at least three other retailers experienced similar incidents over the same time period, Reuters reported. Security experts have long warned that banks, credit card processors, and retailers are not taking the necessary steps to secure payment card data and personal information, leaving customers vulnerable to fraud and identity theft.
"The impact of the Target breach and other retailers in similar circumstances (and not yet fully disclosed) can have far reaching effects on consumer confidence and impact on the US economy unless steps are taken to address this vulnerability immediately," said Anup Ghosh, founder and CEO of security company Invincea.
More Victims FoundNeiman Marcus discovered its breach on Jan. 1, after receiving reports from a credit card processor about possible unauthorized charges on the accounts of people who had shopped at its stores, reported security writer Brian Krebs. The attack appears to be on a smaller scale, with fewer than one million cards compromised.
While Krebs was not sure whether this breach was related to the attack on Target, sources told Reuters the incidents used similar techniques and could be linked. Like Target, Neiman Marcus said only shoppers who used their cards in the store were affected, not online shoppers.
Target initially reported that 40 million shoppers who used their credit card at one of its retail outlets during the holiday shopping season were affected in a credit card breach. Last week, the CEO of Target acknowledged the breach was bigger than originally thought, as personal information of at least 70 million customers, including names, mailing addresses, telephone numbers, and email addresses were also stolen. There may be some overlap in customers between the initial 40 million and the later 70 million, but Target was unable to say how many were counted twice. Target also admitted that all US shoppers over 2013 were at risk, not just those that visited the store over the holiday season.
Questions, But No AnswersThe investigation is still in the early stages, so there are more questions than answers at this point. This presents a whole new set of challenges, security experts said.
Right now, the big question is, "Am I affected?" and it's hard to tell. Reuters said three other retailers were currently investigating, but had not publicly disclosed the breach at this time. It is also possible there were other, smaller, breaches earlier in 2013, which still have not been publicized.
"All retailers should err on the side of disclosing all consumers that are potentially affected while at the same time disclosing fully what they know about the breach and how it happened," Ghosh said.
Neiman Marcus said it is notifying customers who had fraudulent transactions posted to their accounts, but this leaves a lot of consumers who did shop at the stores wondering and waiting for bad news. It creates what an expert called "data security limbo," as users are aware of a breach but can't take any steps until they receive confirmation. Target also said it was notifying customers about personal information being stolen if an email address was on file.
This kind of selective notification opens up a window of opportunity for attackers to launch secondary attacks, said Angel Grant, director of anti-fraud solutions at RSA. Attackers can take advantage of the confusion to send out emails or even make phone calls to scam users into revealing their personal information and payment card details. Users need to be vigilant for follow-up phishing attempts in the wake of this breach.
Silence is DangerousWhile it's understandable to want to keep information close at hand until the investigation is complete, it doesn't help other retailers. Target is not discussing what happened, and Neiman Marcus is even more close-mouthed about the methods the attackers may have used. At the moment, Target has admitted its point-of-sale software was compromised, and Reuters cites sources who say the attackers used a RAM scraper, a type of malware which captures the temporary data in the computer's memory. There have been a surge in attacks using memory parsing malware recently, and Visa even issued alerts with technical information on how to thwart these types of attacks last year.
While it was not clear whether Target or other retailers had implemented any of the methods to defend against these attacks, sources told Reuters the attackers were much more sophisticated and would have been able to bypass those measures. Based on the fact that personal information was stolen, it was more than likely that Target's breach was "a more widespread compromise of Target's network than simply PoS machines," Ghosh said.
Retailers are likely investigating their networks and trying to figure out whether they have also been affected. This is where information sharing between retailers would be helpful.
As for you and me, maybe we should stick with cash for the time being. It is safer, and the only thing you have to worry about is pickpockets.
No comments:
Post a Comment