Sen. Richard Blumenthal (D., Conn.) has asked the Federal Trade Commission to immediately open an investigation into Target’s security breach, saying the FTC has the authority and responsibility to investigate. Meanwhile, the National Association of Federal Credit Unions continues to press for passage of data security requirements for retailers.
“While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed,” Target said Friday. “We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system and remained encrypted when it was removed from our systems.”
Terence Spies, chief technology officer at Voltage, which sells technology that enables encryption of credit card data, explained the transfer of data from store sales terminal to payment processor. “When a customer enters a PIN number for a debit card at a sales terminal, the PIN device contains an encryption key that’s unique to that device and often changes with every transaction,” he said. “A big piece of data takes the [encrypted information] to the processor. It’s processed in a hardware security module, and that’s the only place it ends up getting decrypted.”
Spies said protocol for proper key management is fairly well established. “If you do proper key management, it can make the information useless to an attacker,” he said. However, account information, found on the magnetic strip of a credit or debit card, is harder to protect. “Someone was selling account numbers on relatively obscure Eastern European Web sites,” Spies said. “They got tracking data from the strip on the back of the card. They can use it to build a fake card.” Along with account data, the cyberthieves stole zip code data, which makes the fake cards more effective. The PIN data is probably quite secure.
“There’s an extremely good chance some fraudulent transactions will be made against those cards,” Spies said.
While Spies said cybercriminals are getting more professional, he believes they couldn’t have done it alone in the case of Target. “It looks like someone had insider knowledge or had built some sort of malware that went live on the point-of-sale terminals and spread across a large number of stores very quickly and captured data for a number of days. There’s a good chance that there was some amount of insider knowledge.”
Doug Johnson, vice president of risk management policy at the American Bankers Association, said it was possible but highly unlikely that the “strongly encrypted” PIN data, which uses the “Triple DES” encryption that is the industry standard within the banking and retail industries, could be decrypted by the thieves who penetrated Target’s system.
“Anything is possible within the cryptology world, but it’s still very difficult to decrypt and not generally within the skill sets of criminals,” he told WWD. “Target was correct in pointing out that it doesn’t have the key, which happens on the other side of the card network, with the financial institutions. Target’s statement today seemed to me an accurate depiction of how the situation developed.”
The fallout of what is likely the second-largest data breach involving a retailer is not yet known. The largest attack against a single retailer involved TJX Cos. Inc. in 2005 and 2006, when 45.7 million customers of the off-price retailer were affected. Uncovered in 2007, the breach was conducted over 18 months. Experts were surprised by the speed of the Target crime — 19 days. TJX wound up paying $250 million in remediation expenses, settlements of bank claims, credit monitoring services for victims, legal fees and fines. It is not yet known how much the incident will cost Target.
Johnson attributed the decision of two major banks, J.P. Morgan Chase and Santander, to cap customer purchases and withdrawals made with compromised accounts to caution following the TJX intrusion. “The banks are battle-hardened and wary about retail breaches in the aftermath of TJX,” he said. “And companies like Target have learned to do the right thing on the retail side — blanket notification as soon as they find the breach, and they did find it quickly.”
Johnson also noted that the risk of cyberthefts will be reduced as financial institutions — including MasterCard, Visa and American Express — begin to roll out “chip and PIN” smartcard technology in the first quarter of 2015. Already in use in the U.K., Ireland and much of Europe, it combines chips embedded in credit and debit cards with personal identification numbers to establish the validity of the account. Because the verification will take place at the point of sale, rather than after encryption by the card issuer, liability for any losses caused by fraud will shift to the retailer and away from the financial institution.
“In the new world, once chip-and-pin is employed at point of sale, the responsibility would be the retailer’s,” Johnson said, adding that the system has worked to great effect where it’s been deployed.
While Target shoppers took to Twitter and Facebook to vent, the retailer used its own Twitter feed to highlight how it was dealing with the situation. The company doubled the manpower in its call center and promised “to work around the clock to answer questions until all needs are met,” according to a tweet last week. Target also listed steps for consumers to take to secure their cards, including getting a free credit report. The retailer repeatedly assured customers that they would “bear absolutely zero liability for any charges that they didn’t make,” and offered a 10 percent discount on Dec. 21 and Dec. 22 “in the spirit of goodwill.”
“Target’s response has been pretty energetic. Where they fell down a little bit is not investing in technology for preventing this from happening in the first place,” said Spies.
Harrods plans to remove the famous statue of Princess Diana and Dodi Al Fayed from the bottom of the Egyptian escalators and hand it back to Mohamed Al-Fayed. “We are very proud to have played our role in celebrating the lives of Diana, Princess of Wales and Dodi Al Fayed at Harrods and to have welcomed people from around the world to visit the memorial for the past 20 years,” said Michael Ward, Harrods managing director. “With the announcement of the new official memorial statue to Diana, Princess of Wales at Kensington Palace, we feel that the time is right to return this memorial to Mr. Al Fayed and for the public to be invited to pay their respects at the palace.” More on the news, with reporting by @loreleimarfil, at WWD.com. #wwdnews
@prada is introducing a new project at its men’s fall 2018 show this Sunday: “Prada Invites.” The fashion house invited four celebrated creative minds – @ronanaerwanbouroullec, Konstantin Grcic, @herzogdemeuron and @rem.koolhaas – to each create a unique item with its iconic nylon material. The designs will be unveiled on the runway show, which will take place at the company’s warehouse in Viale Ortles 25. #wwdfashion #mfwm (📷: @martinocarrera)
@kering_official is spinning off its stake in puma in an effort to focus on its luxury brands, the brand operator announced yesterday. “We are proud to have supported the turnaround of Puma, which now has unrivaled capabilities to take full advantage of the specific dynamics of its global markets and is poised to achieve substantial growth,” said François-Henri Pinault, Kering’s chief executive officer and chairman. Artémis will become a “long-term strategic shareholder” of Puma with a 29 percent stake. #wwdnews #wwdfashion (📷: @jilliansollazzo)
The fashion world mourns for celebrated street style photographer, Nabile Quenum, who died at age 32 in Paris.
Quenum, creator of the fashion blog “J’ai Perdu Ma Veste,” was a fashion week fixture, and regularly shot for New York magazine’s The Cut, among other outlets, and brands such as Louis Vuitton, Moncler and Adidas. He was also actively involved in the #NoFreePhotos initiative, which kicked off in the fall. Read more about Quenum in @kbsmoke's story on WWD.com. #wwdnews
@verwanggang and @maisonladuree have teamed up on a dessert collab called Vera Wang Pour Ladurée. The collection, which launched this week, features a specialty macaroon, as well as a wedding cake inspired by one of the designer’s gowns. “I could not imagine a more delicate or sophisticated creation to grace any couple’s celebration,” said Wang. #wwdfashion