This is a series of articles to represent developer’s point of view and learning from recent TARGET retail store security attack due to which various reports say that around 40 million customer credit and debit cards data must have got compromised. This hackers’ attck is currently talk of the town and is under analysis of various different security agencies including US secret service.
In this article, we shall look at various different possibilities/attack vectors/security vulnerabilities that could have led to third attack.
- One of the many possibilities could have been installation of malware at the POS system where customers use to swipe their card for the purchases that they make. This could have been done by hacking into an administrative system and getting control of the software/system which is responsible for installation of up-to-date firmware on to every POS systems. This way, the hacker could have triggered the installation of malware on to the POS system which could have then kept a track of card data and pass on to the hackers’ site. With the help of malware, the “track data” could have been obtained which could have been used to create duplicate data. If we assume this to be true, then the question that needs to be pondered is that how did the hacker get access to this administrative system? This could be due to different vulnerabilities in the system including but not limited to something like SQL injection etc. Additionally, the very fact that the password to the admin system could have been leaked by internal guy could not be ruled out. As a learning, what could be taken away from this by the security officer? The whole requirement related with principle of “least privilege” which means that not every one would have access to data of every system.
- Another possibility could be pure case of injection which may have lead to stolen of critical card data such as, cardholders’ name, card number, expiration date, “track data” which can be used to create duplicate cards. And, if database would have stored PIN which may not be a desirable thing to do, this duplicate card could be used to bring out cash from ATM as well. However, as per the report published by Target spokesperson, the data such as PIN or security code has not been stolen. This could be due to multiple reasons such as one-way encryption of these data or that CVV/CVC codes may not be stored at all in the target database. The learning to be taken away is to make sure in no circumstances, the data such as security codes should be stored in the ecommerce store database. During the transaction, the security code should be checked with the payment processor at runtime.
- Another possibility could be to get an access to Target network, and hence database, from partners’ IT infrastructure: As we all know that Target has outsourced his software development to various different vendors across the geographies. The hackers could explore this path and hack the partners’ IT infrastructure, including developers laptop and use this door to get an entry into Target network and steal information from the database.
So far, following could be learnt from developers’ perspective:
- Principle of Least Privilege: According to a definition taken from http://searchsecurity.techtarget.com, the principle of least privilege (POLP) is the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs. The principle is also applied to things other than people, including programs and processes.
- Not storing critical data such as security codes in the database: This is one of the key requirement of PCI compliance. In no circumstances, the data such as security codes, or PIN shall be stored in the database. They should be retrieved during run-time and processed appropriately.
- Not allowing any data to be stored on partners IT infrastructure including developers’ box. Not sure how current software development partners of Target are operating in terms of accessing the production environment including application servers and database. But, this could be an easy way to hack the system.
Keep a watch on this space for further analysis and developers’ take aways as more is learnt about the attack. Feel free to share your comment if you have different opinions.