How the Target Breach Happened

NEWS ANALYSIS: Security professionals are trying to figure out what really happened at Target, but the truth is you can't blame any one technology.

The security breach at U.S. retailer Target in December has been the subject of intense scrutiny and speculation over the course of the last month.

Few details were made public when Target first admitted to the security breach on Dec. 19, 2013. This month, little by little, scraps of information have emerged, including the disclosure that some form of point-of-sale (POS) malware, identified as a RAM scraper, was involved.

Over the course of this month, there have been multiple reports and claims about the Target breach from security vendors and experts—what can people do? What should Target have done? Do we need more secure credit cards?

The simple truth is that Target should not have been breached by any one technology failure or vulnerability. Security in the modern world should never just be one thing, and it is not defined by any single vendor, product or technology.

The truth is that security must always be a continuous process. That's not just a motherhood and apple pie truism either.

You have to think like an attacker first to understand what's going on here. First off all, for an attacker to get data from a network, he or she has to infiltrate the network. In a typical enterprise environment, defenses for infiltration include access controls and perimeter defenses, such as a firewall.

In Target's case, the perimeter is the POS device, so the attacker needed to infiltrate that device. As part of the Payment Card Industry (PCI) standards compliance, there are rules in place that are supposed to ensure the physical integrity of the device, such that an attacker couldn't easily open and tamper with the device's internal circuitry.

However, there was a Black Hat USA presentation in 2012 in which a pair of security researchers were able to infect a POS payment terminal using a malicious card. While some have argued that EMV (Europay, MasterCard, Visa) chip-based cards could have prevented the breach, there have also been public exploits of that technology. In 2011, a Black Hat researcher demonstrated how to hack into EMV machines as well.

So let's assume the Target attacker used a technique to infiltrate the network by way of the POS devices. Proper security procedures and technologies should have been in place to prevent unauthorized, fake cards from being able to load code and infiltrate the network.

That's step one: Stop the point of entry.


Step two in any attack is exploitation. Just because an attacker gets access to a network doesn't mean anything, unless there is a vulnerability that can be exploited. That's where the RAM scraper bit comes in.

RAM scraper is a known vulnerability that could enable an attacker to remove data from memory (RAM) on a POS device. The obvious fix for any type of vulnerability is to patch the issue (if there is one), but in some cases, patching is neither easy nor possible.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.