As more detail comes to light about how Target's data breach occurred, retailers need to completely rethink their approach to protecting card data.
Hackers got into Target's system using compromised credentials for a refrigeration, heating and air conditioning subcontractor, according to a report last week by Brian Krebs, the security expert who first broke the news of the massive Target card data breach.
In many other breaches, hackers targeted payment processors or other entities with a more direct connection to the payments data. But in the Target incident, "this was a heating and AC vendor and it makes you wonder how that would give the criminals access to such sensitive areas," says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
Target would not comment on its vendor relationship. "As this is an active and ongoing investigation, we dont have any additional details to share at this time," says Molly Snyder, a Target spokeswoman.
Previous approaches to security have been focused on segmenting systems that handle card data to put up barriers to the data's access. However, many security experts are now calling for retailers to make sure the data can't be extracted in a usable form even when the hackers have gained access.
"Businesses need to recognize that security might not be just about keeping the bad guys out, but making sure the sensitive information that you have doesn't get out," says Mike Keresman, CEO of Cleveland, Ohio-based CardinalCommerce.
Cybercrooks are never going to stop pursuing the weakest links in the payments chain to steal data, however, companies can do much now "to make that information not meaningful," Keresman says.
Having a fraudster enter a system through stolen vendor credentials could happen to any company, Keresman says.
"Companies might have vendors or contractors they have used for years, whether it is HVAC or cleaning or anything like that," Keresman adds. "All of a sudden that company gets compromised through its own actions or through nothing directly involving them."
Various layers of security, such as EMV chip-based cards and tokenization to obscure card data, can make it more difficult for fraudsters to get out of a network with valuable data, Keresman says.
"You can't make fraud impossible, but you want to make it expensive for the bad guys," he adds. "With the Target breach, if EMV cards were in place, they could steal that data but would have to put it on a chip, which isn't too easy."
Aite's Conroy agrees, saying her firm placed "de-value the data" in its list of top 10 trends for merchants this year. Merchants have long needed to make the same assumptions that banks are making about the endpoints in online and mobile payment technology eventually being compromised, Conroy says.
"The key is making sure they can't get away with anything of value," she adds.
Some companies are proposing ways to make sure the criminals, once they get in a network, can't get out.
Security vendor Mako Networks, based in Auckland, New Zealand, touts a security measure that blocks the data in the system, making it difficult for hackers to leave with a treasure trove of card numbers.
Mako says it establishes firewall rules when a network is first configured, calling for a strict set of permissions for which devices and network locations are allowed to "talk" to other internal and external locations.
The system does not permit any outbound traffic from the payment network, except to specific, authorized IP addresses, the company says in a whitepaper on its study of the Target breach.
Not allowing a hacker out of a system has some appeal, considering stealing vendor credentials to gain initial access is often a simple task for cybercrooks.
"Unfortunately, the weak link in the chain is commonly an employee that gets fooled into opening an e-mail attachment or clicking on a link," says Jeff Swearingen, CEO and co-founder of Bee Cave, Texas-based SecureLink. "Having a realistic policy in place for managing your vendors can eliminate much of the human risk in the equation."
In the information technology world, any vendor is also a technology company, Swearingan says.
Companies have various policies regarding who has access to a network and how to authenticate that access, but should always have control over the access, Swearingen says. "It's the keys to the house."
"At a minimum, the customer should know what individual is accessing any system and why they are there, what they are doing, or what they did," Swearingen adds.