Although the Target breach is still under investigation we can examine other high profile cases and piece it together with what Target has publicly stated to develop an idea of what may have happened.
There are a few ways to gain access to critical personal information as was done in the Target breach. The first way is to use a physical device at a store hooked into the Point of Sale (PoS) system to skim credit card data. This type of breach is often isolated to a smaller number of stores where the skimmers are installed.
With the 2013 breach we know that upwards of 100 million consumers cold be affected. This enormous number implies that scammers weren’t just targeting a few stores – this would be a system wide attack. In cases like this it is likely that the scammers were able to infiltrate Target’s PoS network.
Attackers can use a variety means to attack a PoS system including malware, exposing weak passwords and exploiting vulnerabilities in the PoS software. Their goal in these cases is to gain access to the credit card data while remaining undetected.
Several pieces of malware exist that specifically target PoS systems including Dexter and Stardust. In both cases once they infect the point of sale system they are able to search for the magnetic stripe data that your credit card uses to house information about your card and account. Once the malware finds this information it sends it off to the attackers, and after working for a few weeks, you end up having a huge breach like Target has on its hands.
Update: As this article was being written, Target’s CEO confirmed to CNBC that malware had infected their point of sale registers confirming what we had already suspected.
Another frequent area of activity is the installation of credit card skimmers on ATM machines. These small devices fit over the slot where you would typically install your credit card. A small hidden camera is also installed that overlooks the keypad. As you insert and pull out your credit card, the camera activates and monitors your pin as you enter it. Once enough cards have been scanned, the collected information is transferred to the scammers. As skimmers have become more sophisticated it is increasingly more difficult to spot a fake skimmer.
Data Stolen – Now What?
Once the thieves have your credit card information they can easily create counterfeit credit cards using cheap credit card encoders available online at sites like eBay. For $135, you too could purchase a credit card reader and encoder.
What can you do?
As a consumer you don’t have a whole lot of options to stop your information from falling into the wrong hands. Luckily you are not liable for paying any fraudulent charges on a credit card. Target has also offered a year of free credit monitoring services to anyone that had used their card during the data breach. For more information regarding this service look here.
Also be sure to pay close attention to your credit and debit card statements each month to ensure you don’t have any fraudulent charges pop up. Be sure to contact your bank or card issuer if you suspect any foul play.
Unfortunately attacks like these will continue and even with millions of dollars invested in cyber security, scammers will still get the occasional win. It’s a price we pay for the convenience of using plastic money.