Sen. Richard Blumenthal (D., Conn.) has asked the Federal Trade Commission to immediately open an investigation into Target’s security breach, saying the FTC has the authority and responsibility to investigate. Meanwhile, the National Association of Federal Credit Unions continues to press for passage of data security requirements for retailers.
“While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed,” Target said Friday. “We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system and remained encrypted when it was removed from our systems.”
Terence Spies, chief technology officer at Voltage, which sells technology that enables encryption of credit card data, explained the transfer of data from store sales terminal to payment processor. “When a customer enters a PIN number for a debit card at a sales terminal, the PIN device contains an encryption key that’s unique to that device and often changes with every transaction,” he said. “A big piece of data takes the [encrypted information] to the processor. It’s processed in a hardware security module, and that’s the only place it ends up getting decrypted.”
Spies said protocol for proper key management is fairly well established. “If you do proper key management, it can make the information useless to an attacker,” he said. However, account information, found on the magnetic strip of a credit or debit card, is harder to protect. “Someone was selling account numbers on relatively obscure Eastern European Web sites,” Spies said. “They got tracking data from the strip on the back of the card. They can use it to build a fake card.” Along with account data, the cyberthieves stole zip code data, which makes the fake cards more effective. The PIN data is probably quite secure.
“There’s an extremely good chance some fraudulent transactions will be made against those cards,” Spies said.
While Spies said cybercriminals are getting more professional, he believes they couldn’t have done it alone in the case of Target. “It looks like someone had insider knowledge or had built some sort of malware that went live on the point-of-sale terminals and spread across a large number of stores very quickly and captured data for a number of days. There’s a good chance that there was some amount of insider knowledge.”
Doug Johnson, vice president of risk management policy at the American Bankers Association, said it was possible but highly unlikely that the “strongly encrypted” PIN data, which uses the “Triple DES” encryption that is the industry standard within the banking and retail industries, could be decrypted by the thieves who penetrated Target’s system.
“Anything is possible within the cryptology world, but it’s still very difficult to decrypt and not generally within the skill sets of criminals,” he told WWD. “Target was correct in pointing out that it doesn’t have the key, which happens on the other side of the card network, with the financial institutions. Target’s statement today seemed to me an accurate depiction of how the situation developed.”
The fallout of what is likely the second-largest data breach involving a retailer is not yet known. The largest attack against a single retailer involved TJX Cos. Inc. in 2005 and 2006, when 45.7 million customers of the off-price retailer were affected. Uncovered in 2007, the breach was conducted over 18 months. Experts were surprised by the speed of the Target crime — 19 days. TJX wound up paying $250 million in remediation expenses, settlements of bank claims, credit monitoring services for victims, legal fees and fines. It is not yet known how much the incident will cost Target.
Johnson attributed the decision of two major banks, J.P. Morgan Chase and Santander, to cap customer purchases and withdrawals made with compromised accounts to caution following the TJX intrusion. “The banks are battle-hardened and wary about retail breaches in the aftermath of TJX,” he said. “And companies like Target have learned to do the right thing on the retail side — blanket notification as soon as they find the breach, and they did find it quickly.”
Johnson also noted that the risk of cyberthefts will be reduced as financial institutions — including MasterCard, Visa and American Express — begin to roll out “chip and PIN” smartcard technology in the first quarter of 2015. Already in use in the U.K., Ireland and much of Europe, it combines chips embedded in credit and debit cards with personal identification numbers to establish the validity of the account. Because the verification will take place at the point of sale, rather than after encryption by the card issuer, liability for any losses caused by fraud will shift to the retailer and away from the financial institution.
“In the new world, once chip-and-pin is employed at point of sale, the responsibility would be the retailer’s,” Johnson said, adding that the system has worked to great effect where it’s been deployed.
While Target shoppers took to Twitter and Facebook to vent, the retailer used its own Twitter feed to highlight how it was dealing with the situation. The company doubled the manpower in its call center and promised “to work around the clock to answer questions until all needs are met,” according to a tweet last week. Target also listed steps for consumers to take to secure their cards, including getting a free credit report. The retailer repeatedly assured customers that they would “bear absolutely zero liability for any charges that they didn’t make,” and offered a 10 percent discount on Dec. 21 and Dec. 22 “in the spirit of goodwill.”
“Target’s response has been pretty energetic. Where they fell down a little bit is not investing in technology for preventing this from happening in the first place,” said Spies.
The annual Veuve Clicquot Polo Classic in Pacific Palisades this weekend drew Kate Hudson, Tracee Ellis Ross, Laura Dern and more. See pictures of the star-studded event on WWD.com. (📷: @chelsealaurenla) #wwdeye
In his new book “Hollywood Royale,” Andy Warhol’s Protégé Matthew Rolston celebrates the Eighties revival of Hollywood glamour. Featuring more than 100 portraits taken by Rolston from 1977 to 1993, the book contains photos of icons like Michael Jackson, Cyndi Lauper, and @drewbarrymore, pictured here in 1991. “Hollywood Royale,” out today, will be accompanied by an exhibition opening at Los Angeles’ Fahey/Klein Gallery on March 1. #wwdeye
"Nowadays when life is not so happy with everything going on in the world, I think people come to me for a little bit of whimsy and color and fun." - Designer Rebecca De Ravenel on her cult-favorite jewelry line. (📸 : @vsteves) #wwd40
“Everyone is talking about how the retail industry is struggling, but I think it’s an incredible time because brands who are doing something different and innovative are setting themselves up for the future,” said @adamgoldston, who founded the luxury athletic brand @apl with his brother @ryangoldsten. The Goldston’s are part of WWD’s 40 under 40: a group of industry notables. See the rest of the list on WWD.com. (📷: @vsteves) #wwd40
@eyeswoon blogger Athena Calderone debuted her first-ever cookbook, “Cook Beautiful,” which is heavily centered on the presentation and visual expression of food. Pictured here are her miso glazed carrots from the book. Get the recipe on WWD.com. (📷: @johnny_miller_) #wwdeye
“It’s passion that helps get anybody to a certain point and it’s what’s propelled me,” said Kith founder @ronniefieg, one of WWD’s 40 under 40: a group of industry notables who are changing the face of retail, fashion and beauty. Fieg, who opened a Manhattan flagship on October 7, began his career at age 13 as a stock boy and salesman for footwear chain David Z. “I think staying true to [my] beliefs, hard work and passion have gotten me to where [Kith] is today.” See the rest of the 40 at WWD.com. (📷: @vsteves) #wwd40
25-year-old @samweaving is about to break out this fall, starring in Netflix’s horror film “The Babysitter,” fittingly out today on Friday the 13th. That’s not the only place you’ll be seeing her, though — Weaving’s got a role Showtime’s “SMILF” and another alongside Frances McDormand and Woody Harrelson in “Three Billboards Outside Ebbing, Missouri.” Though she’s got a full plate at the moment, there’s one role she’s got her eye on: Marilyn Monroe. “I’m a little too young at the moment, but it’s on my bucket list,” the actress told WWD (📷: @dandoperalski) #wwdeye
BFF's Poppy Jamie and Suki Waterhouse celebrated the launch of their bag line Pop x Suki at Nordstrom last night. "The line is really about our friendship, and how we are so different but complement each other," said Waterhouse. 👯 (📷: Katie Jones) #wwdeye
After designing the new @louisvuitton and @bulgariofficial flagships and a @chanelofficial boutique opening in Japan, @petermarinoarchitect has another project on his plate: The Lobster Club. Located in the Seagram Building, it’s the famed architect’s first restaurant project in New York, serving up modern Japanese brasserie-style cuisine. Bronze hues, bespoke material detailing, blush and chartreuse tones and a heavy emphasis on Picasso can be seen throughout. Mark your calendars for Nov. 1 for the much-anticipated opening. (📷: @clint_spaulding) #wwdeye