When we think of cybercrime, we think of of phishing scams launched from strange email accounts or attacks that harvest passwords from social networks. It’s hardly the type of thing that crosses a person’s mind while buying Christmas gifts at Target.
But it is cyber-criminals who have now compromised as many as 40 million credit and debit card accounts used at brick-and-mortar Target stores around the U.S. The attack came between Nov. 27 and Dec. 15, the busiest shopping period of the year. Target revealed Thursday that a third party gained access to a huge trove of customer data, which included names, credit card numbers, expiration dates, and the three-digit security codes typically found on the back of credit cards. The breach is the latest in a string of hacks that have targeted brick-and-mortar stores in much the same way websites are often attacked.
“It’s not what comes to people’s mind very often when you say ‘cybercrime,’ but it is an accurate portrayal,” says Al Pascual, senior analyst of security risk and fraud at Javelin Strategy and Research.
(MORE: The Target Credit Card Breach: What You Should Know)
A Target spokeswoman declined to provide any details on how the security breach occurred, but a variety of security experts agreed that it likely involved Target’s point-of-sale system, the software the company uses to carry out transactions at the cash register. “There’s a lot of different ways people can get in and potentially hack these systems,” says Justin Cappos, a computer science professor at the Polytechnic Institute of New York University. “Realistically, when you look at it, it’s pretty much like a Windows or Linux machine that’s just connected to the Internet.”
The strategies used to infiltrate a point-of-sale system can be similar to those used to target other pieces of software. Dexter, a piece of malware that specifically targets point-of-sale programs, is believed to have been responsible for widespread credit card theft at fast food restaurants in South Africa this year and may have infiltrated Target’s network. An employee could have purposefully left a backdoor open for hackers or unknowingly clicked a link that allowed an entry point for the malware or some other malicious code. The company’s wireless network could also have been compromised. In 2007 hackers were able to able to access TJ Maxx’s central database and steal account information for 45.7 million credit cards by intercepting the data traveling between hand-held price scanners and cash registers, according to the Wall Street Journal.
The scope of the Target theft—and the fact that it hit during the busiest shopping season—means it was probably the work of organized cyber criminals who had planned for it well in advance. Instead of trying to use the credit card data themselves to buy things, they’re likely to sell the data on underground forums, experts say, perhaps for a few dollars per card. “You’ve seen the commercialization of cyber attacks,” says Barbara Endicott-Popovsky, the Director of the Center for Information Assurance and Cybersecurity at the University of Washington. “It’s a business. The general public would be shocked and amazed by the size of the problem.”
Target has advised everyone who shopped at their stores during the two-and-a-half week period when the attack happened to monitor their bank accounts closely, even though the company says they’ve resolved the issue that led to the breach. According to Javelin Strategy and Research, about one-fourth of people who receive letters informing them of a potential breach of their financial data end up becoming victims of identity fraud.
Analysts say physical retailers may be more susceptible to damaging online attacks than Internet companies, whose entire credibility is often built on protecting users’ data on the Web. Certainly, the stakes for a company like Target are higher—while tech firm like Twitter, LinkedIn and Facebook have reported data breaches that resulted in stolen passwords and emails in recent years, none of them hold onto as much financial data as retailers. Amazon had one scare in 2012, when its online shoe store Zappos suffered a data breach, but hackers did not gain access to credit card info.
(MORE: The New War in Mobile Is All About Messaging Apps Like Snapchat)
Meanwhile Subway and Barnes & Noble have also been attacked in recent years through their physical stores. “It does seem to me like this is on the increase,” Cappos says.
Experts predict that the problem will only become more pronounced as more of the things we interact with in the real world become tied to online networks. “People who run companies are not aware that they’ve actually become software companies,” Endicott-Popovsky says. “We’re headed toward the Internet of things, where we have embedded software in every product. What we’ve done is open up a whole host of vulnerabilities.”