Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

What can we learn from the Target Breach

by Avivah Litan  |  December 19, 2013  |  37 Comments

UPDATE: Shortly after this blog post was published, I received comments that questioned the veracity of one of the claims in it.  I have looked into the points raised and agree that what I heard from two secret service agents specifically concerning the 2009 security breach at Heartland Payment Systems is not independently verifiable.  In fact, Heartland has confirmed that “Gonzales has never been an employee of Heartland, nor would he have been able to download data to a USB as stated in the article.”
————————————————————————————————–

The recently reported Target breach, first uncovered by security blogger Brian Krebs, (see krebsonsecurity.com ) is the largest retailer breach that has surfaced since the original round of breaches undertaken by Albert Gonzalez began in 2005 which eventually involved many U.S. companies including; BJ’s, JC Penny, Heartland, Dave and Busters , TJX and even Target!

Who’s the real victim here?

The top victim in my opinion is Target itself. Target no doubt has spent a small fortune on payment card security and on becoming PCI compliant. It has tried to do “everything right” as far as I can tell, yet the theft still occurred. Now it will be a “victim” so to speak of the payment card industry, who will likely

a) Raise Target’s merchant fee that it pays Visa, Mastercard, Amex, and others on every transaction by a few basis points – which can add up to a significant amount of money

b) Fine Target for the breach

c) Fine Target for non-compliance with PCI (even though it was certified as compliant – Visa and Mastercard will determine that they really weren’t compliant since they had a breach)

d) Make Target pay back card issuers for any fraud that results from this breach.

Target may also face class action suits undertaken by hungry lawyers or state attorney generals’ offices. If the past is any indicator, any such suits will eventually be dismissed since there is very little direct damage to consumers who typically get any resulting charges reversed. Of course it’s a major hassle for consumers but they rarely lose any money from this (unless PINs were stolen with debit cards, and there is no evidence that this happened at Target).

In the end the actual fraud loss, which Target will have to pay for, is likely to be less than $25 million. But the fees it pays the banks may be twice that amount. If they get much higher Target may have to pass on these costs to consumers in the form of higher prices.

How did this Happen?

Given that Target has instituted so many security controls, I’d be very surprised if the breach occurred because malware was installed on POS devices or in local store systems. My guess is that the data was stolen from Target’s switching system for authorization and settlement.

But I’m not so sure it was due to a piece of malware inserted remotely by a clever hacker. I recently heard a couple of high placed secret service officers say that the Heartland Payment systems breach – the largest breach in history where 130 million payment cards were compromised – was actually executed by Albert Gonzales in a very low tech manner. These agents said Gonzales was working at Heartland as a call center employee and simply walked out with the sensitive payment card data every day on a USB drive. This apparently was AFTER he was arrested for the TJX breach and became a government informant.

————————————————————————————————–
UPDATE: Shortly after this blog post was published, I received comments that questioned the veracity of one of the claims in it.  I have looked into the points raised and agree that what I heard from two secret service agents specifically concerning the 2009 security breach at Heartland Payment Systems is not independently verifiable.  In fact, Heartland has confirmed that “Gonzales has never been an employee of Heartland, nor would he have been able to download data to a USB as stated in the article.”
————————————————————————————————–

If we’ve learned anything from the Snowden/NSA and Wikileaks/Bradley Manning affairs, it’s that insiders can cause the most damage because some basic controls are not in place. I wouldn’t be surprised if that’s the case with the Target Breach – i.e. that Target did a great job protecting their systems from external intruders but dropped the ball when it came to securing insider access.

Bottom line: it’s time for the U.S. card industry to move to chip/smart cards and stop expecting retailers to patch an insecure payment card system.

37 Comments »

Category: Uncategorized     Tags:

37 responses so far ↓

  • 1 A. Clark   December 19, 2013 at 1:40 pm

    I don’t understand the “Bottom Line” comment. Chip and PIN can still send the card info to the POS in clear text. The chip and pin security is broken and can be circumvented to allow any pin to be used. I think the US chose not to implement it was because it’s known to be broken so why use it.

    You need a pin pad that sends data encrypted directly to the card processor encrypted and only allow the merchant to ever see a token.

  • 2 What can we learn from the Target Breach | Dream Virtual   December 19, 2013 at 1:47 pm

    [...] http://blogs.gartner.com/avivah-litan/2013/12/19/what-can-we-learn-from-the-target-breach/ [...]

  • 3 S. Asche   December 19, 2013 at 3:08 pm

    I thought the reason the US retailers and banks choose not to use chip and pin is that the expense of deploying it exceeds the cost of fraud.

  • 4 M. Dixon   December 19, 2013 at 4:13 pm

    Only a complete moron would write about how people’s bank info is stolen via purchases at a retailer and then say the retailer is the real victim. My identity was stolen and it takes YEARS of painful and undue embarrassing situations to get it straight.

    Seriously, TARGET is the real victim? May I have YOUR bank information so you may see what a real victim is like?

    Go back to school lady. The people reading your words are the real victims here.

  • 5 Matt Hazz   December 19, 2013 at 4:58 pm

    ” was actually executed by Alberto Gonzales in a very low tech manner. These agents said Gonzales was working at Heartland as a call center employee and simply walked ”

    Worng! Gonzales never worked for Heartland or at one of their call centers or anywhere else. he simply wrote the software the real bad guys used.

    Your ‘high placed secret service officers’ aren’t all that high.

  • 6 Avivah Litan   December 19, 2013 at 9:26 pm

    Hi A. Clark, the case for chip cards is that they are much harder to clone so it will dissuade the hackers from launching these types of attacks. Yes it’s not perfect but chip technology has successfully lowered card present fraud rates in the countries where it is deployed (although yes the fraud has migrated to cross-border (mag stripe) and card not present channels). But chip cards definitely offer stronger security than mag stripe cards and if the data off those cards are stolen, it is much more difficult to clone the card.

  • 7 Avivah Litan   December 19, 2013 at 9:27 pm

    Hi S. Asche, yes you are right, the cost of chip technology has been higher presumably than the fraud losses. But perhap that equation is beginning to change, especially now that the rest of the world is on Chip cards.

  • 8 Avivah Litan   December 19, 2013 at 9:31 pm

    Hi M. Dixon, A stolen credit card does not equate to identity theft. Indeed identity theft is much more serious and I’m sorry you went through that. I agree with you on the seriousness of identity theft – but in the case of credit cards, consumers are protected under Regulation Z and the rules of the credit card companies (i.e. zero liability protection). Of course, it’s a major hassle if your payment card is stolen but unless your PIN is also stolen and used with a stolen debit card, it is relatively easy to get your bank to reverse any fraudulent charges. A thief who steals credit card account information is far removed from stealing enough identity information to take out a new loan in someone else’s name for example.

  • 9 Avivah Litan   December 19, 2013 at 9:34 pm

    Hi Matt Hazz, these comments were made by the agents in the course of a discussion with several individuals on a much broader matter. I don’t have any reason to think they would make something like this up. Frankly, I don’t think any of us know the full story. Are you sure you are completely informed?

  • 10 Jason L   December 20, 2013 at 12:14 am

    While I may agree that credit card theft is not equal to identity theft, it is still incumbent on the retailers to protect the consumers data. Failure to do so does not render the retailer a “victim”. Furthermore, most if not all retailers have some type of fraud insurance to protect them. The zero liability rule is nice, but none the less it is time consuming and at times not as easy as one would expect.
    It appears to me that not enough information is available to understand that extent of this breach and most if not all of the reports are more speculative then fact based.
    It is time that corporations and retailers understand that investing in prevention is futile. No network is completely safe, it is time to invest in early detection and remediation. From the reports Target has been breached for about 3 weeks, with proper detection this may have been reduced to 3 days.

  • 11 Patrick Donnelly   December 20, 2013 at 3:08 am

    At Revel, we are big proponents of PCI compliance – http://revelsystems.com/features/pci-compliance

    I think one lesson here is that there are ways to not store customer credit card data. You don’t have to store on the the POS locally. And you don’t have to store it on the server either. Chip and pin will help a little bit, but we need to as an industry stop storing credit card info period. If you want to keep track of people in a CRM in a different way, that is okay, but no credit card data.

    Simply put. If you are not storing it ( pass through ), they cannot steal it.

    Patrick, Revel Systems iPad POS

  • 12 Hans   December 20, 2013 at 9:59 am

    “It has tried to do “everything right” as far as I can tell…”

    How can passing or possibly even storing (horrors) track data un-encrypted be considered doing “everything right”?

    Track data should be encrypted at the swipe/pin-pad, passed over the internal network “in-line” still encrypted, never stored anywhere, and only decrypted in an HSM and just before passing to a payment processor or network. Put dual-control at the point where the track data are decrypted. It can and has been done.

  • 13 Target Breach: What Happened? | SMLR Group, Inc.SMLR Group, Inc.   December 20, 2013 at 12:38 pm

    [...] a blog posted Dec. 19, just after Target confirmed the attack, Litan speculates that the compromise is [...]

  • 14 Jeff   December 20, 2013 at 12:39 pm

    Any retailer who falls under PCI compliance (remember, compliance does not equal security) is PCI compliant one day out of 365, and that’s the day they get attestation from their PCI auditor (who has no doubt overlooked or let slide various company controls, that is if any exist).

    After that, it’s back to business as usual for undermanned security staffs (whose companies profess they care about security, but talk is cheap) which means process aren’t followed or ignored, because there’s too much work and not enough people, and no priorities from upper management.

    Cash is king…

  • 15 Avivah Litan   December 20, 2013 at 2:55 pm

    Hi Hans,

    Re your comment – there is no requirement for point to point encryption and it’s not standardized yet, so it’s a risk for a retailer as large as Target to invest in that equipment (if they didn’t).

    Also, the traffic has to be decrypted before it’s passed to the networks and card issuers, and even to the processor unless the processor sells and supports the point to point encryption system. That’s the fundamental point – the card payment systems need to be more secure and the method you propose should be part of the payment card network standards – don’t stick it all on the retailer.

  • 16 Avivah Litan   December 20, 2013 at 2:58 pm

    Hi Jeff, yes I agree completely with what you are saying which is why we need a fundamental upgrade of the payment systems and their security. The technology used today is antiquated and retailers are bearing the brunt of the inherent vulnerabilities. Of course its ultimately a big issue for card issuers (from a fraud perpective) and other participants as well. Time for an upgrade after some 40 years, don’t you think?

  • 17 Jim Huguelet   December 20, 2013 at 3:50 pm

    The US payment infrastructure is indeed fundamentally broken because it was never designed for an environment with such widespread access to the systems in it. That being said, we’re approaching Year 15 of this era and not much has changed even though tens of billions of dollars have been spent on PCI DSS compliance. I continue to contend that the ONLY real solution to securing brick-n-mortar retailers is end (i.e. swipe) to end (i.e., processor) encryption of all CHD. Take the retailers out of the loop and EMV becomes a secondary issue. Instead, card brands are trying (unsuccessfully) to push merchants into EMV adoption – which will solve very little and cost merchants a lot.

  • 18 Avivah Litan   December 20, 2013 at 3:54 pm

    Hi Jim, good idea. Standardized Point to Point Encryption should prove very effective and much less expensive than chip/EMV. But it should go all the way to the issuer – and not stop at the merchant’s processor, don’t you think? Still EMV is a global standard and it has many benefits because of that.

  • 19 Target Breach: 10 Facts | Unicom Media   December 21, 2013 at 10:25 am

    [...] Gartner analyst Avivah Litan said in a blog post that the breach was likely not due to malware or hacking, but a very low-tech [...]

  • 20 Salias Emmet   December 21, 2013 at 12:31 pm

    Perhaps Target does transmit and store this data with hard encryption, and properly destroys data as soon as possible.

    But if someone has the decryption keys and can insert a couple lines of code, all of that good process is irrelevant.

  • 21 A. Clark   December 21, 2013 at 12:44 pm

    In Canada we saw a very small drop in fraud when chip and pin was introduced and a huge expense. The biggest issue retailers have is the banks will not let you reverse a transaction without resending the full card information. There’s good reasons for that to prevent different fraud but it forces the retailer to store these card numbers, encrypted hopefully. Even if your PCI compliant many processors require you to transmit the card # to them in the clear so it’s only your network security protecting the data. So if you can capture the card # in motion you’re are set. We need end to end security of the data.

  • 22 hernandezz   December 21, 2013 at 3:00 pm

    What about breach? Is it a low-tech Managed IT.?

  • 23 Unicom Tech Store | Target Breach: 10 Facts   December 21, 2013 at 4:28 pm

    [...] Gartner analyst Avivah Litan said in a blog post that the breach was likely not due to malware or hacking, but a very low-tech [...]

  • 24 j smith   December 23, 2013 at 10:42 am

    Your assumption regarding the TJX matter, based on conversations with Secret Service agents makes no sense.
    “was actually executed by Albert Gonzales in a very low tech manner. These agents said Gonzales was working at Heartland as a call center employee and simply walked out with the sensitive payment card data every day on a USB drive. This apparently was AFTER he was arrested for the TJX breach and became a government informant.”
    How did he execute the largest breech in history, then gain employment at the victims company, and proceed to steal card data.
    In the case of Target, why would a criminal risk Collusion and have a potential snitch, when they could simply use common social engineering and APT techniques. The risk is too high.

  • 25 Avivah Litan   December 23, 2013 at 6:15 pm

    Hi J Smith, I don’t get the allegation about Gonzales working at Heartland either. I’m just recounting what I was told. Again, i don’t think any of us know the full story – and I don’t have any reason to think the agents would lie in a passing comment.

  • 26 Avivah Litan   December 23, 2013 at 6:17 pm

    Hi A Clark, thanks for the observations about Chip and PIN. Good to know the aspects about needing to store the data for future use. That doesn’t help, does it? But presumably, if that data are stolen they can’t be use to clone a chip card correct?

  • 27 Steve Tillotson   December 24, 2013 at 1:00 am

    Avivah

    You got it wrong, please re-evaluate

    http://www.dailymail.co.uk/news/article-2528442/Target-hit-five-lawsuits-seeking-damages-breach-disclosed-week.html

    Steve

  • 28 Steve Wilson (@Steve_Lockstep)   December 26, 2013 at 5:53 am

    Litan writes “[Target] has tried to do ‘everything right’ as far as I can tell, yet the theft still occurred”. That is, while successful attacks have to be very sophisticated and expensive to mount, they turn out to have positive ROI for crime gangs. There is not much more that big card database holders can do to curtail mass card theft. So as Litan says, “it’s time for the U.S. card industry to move to chip/smart cards and stop expecting retailers to patch an insecure payment card system”.

    I agree strongly, especially with taking the security focus away from retailers (I mean, PCI-DSS really is a sick joke). But I would add a couple of fine points.

    Firstly, when we talk of insecurity in the payment card system, we need to be circumspect. Some responses to fraud — especially 3D Secure — involve quite radical changes to the Four Party system, like joining the Issuer to the Cardholder in real time, and adding more parties. It’s not like the whole payment system is broken; far from it. At one level the payment card system today remains as robust as it was 30 or 40 years ago. Its main vulnerability is very specific: cardholder data is replayable at merchants, either by carding or by CNP fraud. Outside the US, carding has of course been curtailed by chip cards, and it’s a matter of acknowledged urgency now that the mag stripe be removed altogether ASAP. We introduced chip technology with almost no change at all to the overall system;.

    Which leaves CNP fraud, and my second point. We have to also tackle the replayability of stolen cardholder data online, or big breaches will still be economically attractive to organised crime. 3D Secure turns out to be a flabby, repellent approach, loathed by shoppers and merchants alike. A much more elegant solution would be to use chip technology to protect online payments just as we do Card-Present transactions. All we need to do is digitally sign Internet shopping transactions — automatically, at the client side, using keys held in EMV cards or mobile phones — to prevent replay attack.

  • 29 Adrian hausser   December 26, 2013 at 7:55 am

    Let’s be very clear here since the link to EMV chip cards has been made. Even WITH EMV target’s breach could have still occurred and the consequences even if all cards were EMV would still be wide ranging. EMV just helps address physical card customer present fraud, it does not counter the huge other number of fraud exposures that exist. My prediction is that these breaches will increase dramatically before declining. PCI just can’t keep up with technology, alternative payments growth and channel expansion.

  • 30 A. Clark   December 26, 2013 at 2:37 pm

    Yes EMV are harder to clone but the random number generator in some devices is predictable… In some it’s just a counter and not random at all. Handy to clone cards if its an illicite store front. Cambridge University has done some good papers on this as will as a hack where you can use any pin with any EMV card, if you retain physical access to the card which is typical now with chip and pin. The wires hooked up to a laptop in your backpack tell the card the right pin was entered and tell the register the card was swiped so no pin needed but your receipt says PIN Verified.

    It would only take a few minor changes to the standards to fix these two types of attacks. It would be good if the US could force the standard to evolve before implementing it. As long as the retailer or consumer is responsible for the fraud the banks don’t have much incentive to fix things or support end to end encryption.

  • 31 The Top 5 Stories Of The Year In Digital Payments, Including The Rise Of Uber | Digital Wealth   December 27, 2013 at 11:51 am

    [...] LESSONS LEARNED: Avivah Litan, an analyst at Gartner for 12 years, takes us through what we can take away from the Target data breach. (Gartner) [...]

  • 32 The Top 5 Stories Of The Year In Digital Payments, Including The Rise Of Uber | This Is Jah Smith DOT com   December 27, 2013 at 11:51 am

    [...] LESSONS LEARNED: Avivah Litan, an analyst at Gartner for 12 years, takes us through what we can take away from the Target data breach. (Gartner) [...]

  • 33 Anthony Campanella – The Top 5 Stories Of The Year In Digital Payments, Including The Rise Of Uber   December 27, 2013 at 11:52 am

    [...] LESSONS LEARNED: Avivah Litan, an analyst at Gartner for 12 years, takes us through what we can take away from the Target data breach. (Gartner) [...]

  • 34 The Top 5 Stories Of The Year In Digital Payments, Including The Rise Of Uber | [ mukeshbalani.com ]   December 27, 2013 at 11:54 am

    [...] LESSONS LEARNED: Avivah Litan, an analyst at Gartner for 12 years, takes us through what we can take away from the Target data breach. (Gartner) [...]

  • 35 The Top 5 Stories Of The Year In Digital Payments, Including The Rise Of Uber | Content Loop   December 27, 2013 at 12:43 pm

    [...] LESSONS LEARNED: Avivah Litan, an analyst at Gartner for 12 years, takes us through what we can take away from the Target data breach. (Gartner) [...]

  • 36 The Top 5 Stories Of The Year In Digital Payments, Including The Rise Of Uber | Business Insider   December 27, 2013 at 5:03 pm

    [...] LESSONS LEARNED: Avivah Litan, an analyst at Gartner for 12 years, takes us through what we can take away from the Target data breach. (Gartner) [...]

  • 37 Target Credit Card Data Leaked ‹ Angle 17   December 28, 2013 at 2:23 am

    [...] According to Avivah Litan, financial fraud analyst at Gartner, Target will most likely have to face fraudulent charges and have to pay around 25 million dollars in total fees. [...]