July 21st, 2015
Here’s the thing about breaking into a multi-billion-dollar company and stealing the credit card information of millions of customers: It’s just not that hard.
Eight months after a security breach brought scorn on Target and resulted in the resignation of its CEO, Home Depot is now the victim of a nearly identical attack.
“They didn’t actually do anything clever,” said Andrew Avanessian, vice president of professional services at security firm Avecto.
Avanessian was speaking about the Target security breach, which compromised the information of millions of customers after malware infected the point-of-sale systems that process credit card swipes. Security reporter Brian Krebs reported that a similar piece of malware is to blame in the Home Depot attack, indicating that it could even be the same group responsible for the Target breach.
The hackers are one step ahead
The fact that two massive breaches of such similarity happened just months apart indicates a major problem with the system. Gaining entry is simple. Human error, such as falling for a phishing attack, can open the door. Once inside, systems that provide access across companies and departments give malware a roadmap that can lead to sensitive information.
Company security can identify and destroy malware, provided it knows what it is looking for, but hackers often remain a step ahead.
This is a testament to just how advanced the criminals’ technology has become and how, even though similar stains have been discovered, they still weren’t able to recognize it. That’s a pretty big deal,” said identity theft expert Robert Siciliano.
Not only are cybercriminals constantly coming up with new pieces of malware, but they are also customizing code to exploit particular companies.
“It’s the same baseline code that we saw at Target,” said Alex Moss, managing partner at information security firm Conventus.
Home Depot, which declined to comment for this story, has already said it is offering identity protection services and credit monitoring to anyone affected by the breach, but the company advised customers to keep a close eye on their accounts.
You’re a victim, too
But even with help, data breaches have become so common that almost nobody is safe. Security problems are simply too common.
“Everyone’s data has been compromised at least three or four times at this point,” Siciliano said.
Customers can cancel cards and get new ones, but Siciliano recommends that people set up notifications for transactions on their accounts in order to keep tabs on their funds.
There is no shortage of security requirements that companies must abide by, but it can only do so good. The weak links in the security systems of Target — and likely Home Depot — continue to be exploitable. In these cases, they are point-of-sale systems that have random access memory that can be “scraped” for credit card data.
These systems are in thousands of stores across the country and would require a major investment to replace.
“Being compliant does not mean you’re secure, and being secure does not mean you’re complaint,” he said.
Fixing these issues can be less about installing new security and more about refining existing systems, Avanessian noted. It is far from easy, as it requires companies to alter existing permissions — how programs are allowed to interact with the company’s system.
In the case of Target, an outside contractor had been given access to the retailer’s system as a part of doing business. Once malware got in through the contractor, it suddenly had access to much of Target through existing permissions.
Avanessian said programs can use a variety of tricks to exploit these permissions, sometimes waiting months to work through a system. But with malware changing so rapidly, limiting the pathways for malware to get to sensitive data is the only way to prevent future breaches.
“You’re never going to be ahead of the attackers because they’re always changing what they’re doing,” he said.
Register for an account it’s free to participate in the discussion or share your thoughts in the Facebook.