Sen. Richard Blumenthal (D., Conn.) has asked the Federal Trade Commission to immediately open an investigation into Target’s security breach, saying the FTC has the authority and responsibility to investigate. Meanwhile, the National Association of Federal Credit Unions continues to press for passage of data security requirements for retailers.
“While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed,” Target said Friday. “We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system and remained encrypted when it was removed from our systems.”
Terence Spies, chief technology officer at Voltage, which sells technology that enables encryption of credit card data, explained the transfer of data from store sales terminal to payment processor. “When a customer enters a PIN number for a debit card at a sales terminal, the PIN device contains an encryption key that’s unique to that device and often changes with every transaction,” he said. “A big piece of data takes the [encrypted information] to the processor. It’s processed in a hardware security module, and that’s the only place it ends up getting decrypted.”
Spies said protocol for proper key management is fairly well established. “If you do proper key management, it can make the information useless to an attacker,” he said. However, account information, found on the magnetic strip of a credit or debit card, is harder to protect. “Someone was selling account numbers on relatively obscure Eastern European Web sites,” Spies said. “They got tracking data from the strip on the back of the card. They can use it to build a fake card.” Along with account data, the cyberthieves stole zip code data, which makes the fake cards more effective. The PIN data is probably quite secure.
“There’s an extremely good chance some fraudulent transactions will be made against those cards,” Spies said.
While Spies said cybercriminals are getting more professional, he believes they couldn’t have done it alone in the case of Target. “It looks like someone had insider knowledge or had built some sort of malware that went live on the point-of-sale terminals and spread across a large number of stores very quickly and captured data for a number of days. There’s a good chance that there was some amount of insider knowledge.”
Doug Johnson, vice president of risk management policy at the American Bankers Association, said it was possible but highly unlikely that the “strongly encrypted” PIN data, which uses the “Triple DES” encryption that is the industry standard within the banking and retail industries, could be decrypted by the thieves who penetrated Target’s system.
“Anything is possible within the cryptology world, but it’s still very difficult to decrypt and not generally within the skill sets of criminals,” he told WWD. “Target was correct in pointing out that it doesn’t have the key, which happens on the other side of the card network, with the financial institutions. Target’s statement today seemed to me an accurate depiction of how the situation developed.”
The fallout of what is likely the second-largest data breach involving a retailer is not yet known. The largest attack against a single retailer involved TJX Cos. Inc. in 2005 and 2006, when 45.7 million customers of the off-price retailer were affected. Uncovered in 2007, the breach was conducted over 18 months. Experts were surprised by the speed of the Target crime — 19 days. TJX wound up paying $250 million in remediation expenses, settlements of bank claims, credit monitoring services for victims, legal fees and fines. It is not yet known how much the incident will cost Target.
Johnson attributed the decision of two major banks, J.P. Morgan Chase and Santander, to cap customer purchases and withdrawals made with compromised accounts to caution following the TJX intrusion. “The banks are battle-hardened and wary about retail breaches in the aftermath of TJX,” he said. “And companies like Target have learned to do the right thing on the retail side — blanket notification as soon as they find the breach, and they did find it quickly.”
Johnson also noted that the risk of cyberthefts will be reduced as financial institutions — including MasterCard, Visa and American Express — begin to roll out “chip and PIN” smartcard technology in the first quarter of 2015. Already in use in the U.K., Ireland and much of Europe, it combines chips embedded in credit and debit cards with personal identification numbers to establish the validity of the account. Because the verification will take place at the point of sale, rather than after encryption by the card issuer, liability for any losses caused by fraud will shift to the retailer and away from the financial institution.
“In the new world, once chip-and-pin is employed at point of sale, the responsibility would be the retailer’s,” Johnson said, adding that the system has worked to great effect where it’s been deployed.
While Target shoppers took to Twitter and Facebook to vent, the retailer used its own Twitter feed to highlight how it was dealing with the situation. The company doubled the manpower in its call center and promised “to work around the clock to answer questions until all needs are met,” according to a tweet last week. Target also listed steps for consumers to take to secure their cards, including getting a free credit report. The retailer repeatedly assured customers that they would “bear absolutely zero liability for any charges that they didn’t make,” and offered a 10 percent discount on Dec. 21 and Dec. 22 “in the spirit of goodwill.”
“Target’s response has been pretty energetic. Where they fell down a little bit is not investing in technology for preventing this from happening in the first place,” said Spies.
@tradesy is turning the concept of a showroom upside down with its new space in Santa Monica. Here, the company plans to hold events, art exhibits and a showcase rare fashion pieces like this Louis Vuitton boxing set. Get all the details on Tradesy’s first showroom on WWD.com. #wwdnews
Spotted last night at the @erdem x @hm launch event: Kate Bosworth, Rashida Jones, Kirsten Dunst and Selma Blair. The party, which took place in LA, also marked the opening of their pop-up shop. “I was interested in creating a collection that wasn’t in any way disposable. It was about pieces you’d create and keep forever, things that have a permanence to it,” designer Erdem Moralioglu said. #wwdeye (📷: Katie Jones)
Renee Zellweger in yellow in 2001 and again in 2017. Chosen as one of the 12 @pantone Leading Spring Colors (and dubbed “Meadowlark”), it only makes sense that the bright hue stands the test of time and is making a resurgence this season, seen already on stars like @blakelively and @gigihadid. (📷: Donato Sardello & @rexfeatures) #wwdfashion #tbt
Dior’s 70th anniversary celebration continues with a new exhibition at the Royal Ontario Museum in Toronto. “Christian Dior,” which is scheduled to run through March 18, takes a look at the founders tenure from 1947 to 1057 and feature 40 designs. Pictured here is an evening gown from the Ailée, fall 1948-49 haute couture collection. #wwdfashion (📷: Brian Boyle)
As one of the most recognizable models in the world, Christy Turlington Burns has an insider’s view of the fashion industry and the allegations of sexual harassment swirling around it. “I can say that harassment and mistreatment have always been widely known and tolerated in the industry. The industry is surrounded by predators who thrive on the constant rejection and loneliness so many of us have experiences at some point in our careers,” Turlington told WWD, along with her suggestions for how the modeling world should protect younger women and men. Read more on WWD.com. Link in bio. (📷: Tony Palmieri) #wwdnews
@asics America has tapped a new brand ambassador: famed DJ/record producer @steveaoki. This initiative is intended to set the tone for the new brand identity and philosophy and will include partnerships with influencers and in-store and off-line activations that will continue into next year. This is Asics’ most significant marketing effort in two decades, and is expected to attract younger consumers to the brand. #wwdfashion
24-year-old Jean Prounis is redefining the rules of jewelry. Formerly a studio assistant to Jemima Kirke and a design apprentice at Ghuran, she focuses on handcrafted subtleties and ancient goldsmithing techniques. “There was a really sterile feel in the environment and I wanted to have jewelry with character that shapes how you wear it everyday,” Prounis said. Each piece is hand made in New York, either by Prounis or three other jewelers in the district. #wwdfashion
“These collections continue to build on that vision, empowering differently abled adults to express themselves through fashion,” said @tommyhilfiger of his line of adaptive apparel, which launches today. The line consists of 37 men’s and 34 women’s styles based upon the pieces from the spring Tommy Hilfiger sportswear collection. #wwdnews