It’s been a while since the last streak of large-scale commercial data breaches, but it looks like the lull is over. The data breach against TJX comes to mind quickly, which compromised 90 million accounts. Hannaford, Sony and others have followed. Everyone has grown smarter since then – both the bad guys and the good guys – which brings us to the Target, Neiman Marcus and Michael’s data breaches, all disclosed within the past 45 days.

The Target and Neiman Marcus breaches involved malware that stole debit and credit card information from in-store cash registers. This is an ironic twist on current urban legends that paint the Internet as far more risky than face-to-face transactions. Just imagine the horror when the in-store customers discovered that their online brethren were untouched by these breaches.

A report by iSight Partners of Dallas said the attacks used a malicious program that scraped personal data from terminals at store check-out stations. iSight claims the program “Kaptoxa” was “almost certainly derived” from BlackPOS, a specialized piece of malware designed to be installed on point-of-sale (POS) devices that records all data from credit and debit cards swiped through the infected system. It has been available on the black market since June 2013. It now appears that the Target breach was part of a broader scam, which could affect a large number of retailers.

The type of data stolen – known as “track data” – enables a thief to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves were also able to intercept personal identification numbers for debit transactions, they could reproduce stolen debit cards and use them to make fraudulent purchases or to withdraw cash from ATMs.

U.S. banks have replaced 15.3 million debit and credit cards after the Target breach, at a cost of more than $153 million. The price tag for banks could grow to hundreds of millions of dollars, and possibly billions, as more retailers announce breaches.

Closing The Floodgates

The obvious question is, “How did these breaches happen?” Followed by a healthy, “How can I protect myself going forward?”

The ultimate irony is the method by which the criminals transmitted 11 gigabytes of customer data to their own servers, and from there to auctions, where they sold card information to the highest bidder. Information Week reported that it was a File Transfer Protocol (FTP) – one of the oldest and simplest ways to move data across the Internet. FTP is also one of the easiest protocols to stop.

At banks and other secure facilities, outbound transmissions via FTP, SSH and similar protocols are commonly blocked except to authorized third parties. Additional methods for moving data are also locked down, with permission to transmit granted on a case-by-case basis. If all else fails, data center personnel review their daily transmission logs, note anomalies and investigate.

From what we can gather, Target didn’t have these controls and checks in place from Nov. 27 to Dec. 15, and if the Neiman Marcus attack followed the same path, they weren’t doing these things from July 16 to Oct. 30.

In movie land, this sort of work is assigned to a hyper tech who types faster than the speed of sound and retrieves the crucial needle in the haystack one nanosecond later. In real life, it takes a bit longer. Still, someone could have shut the floodgates a lot sooner, millions of consumers would not be waiting for new cards, and banks wouldn’t be left bearing the cost of replacing those cards.

Here are a few steps your organization can take to help prevent these attacks in the future:

Lock down outbound file transfers to authorized locations. If there is a business reason to use FTP and similar protocols, evaluate these on a case-by-case basis. This sounds like a cumbersome process, but after the up-front work it’s relatively simple to maintain.

Review system logs daily, report anomalies up the chain of command, and pursue them rigorously.

Look beyond servers, workstations and other end-user devices, like tablets and smartphones. There are many more devices with the ability to become compromised. Access controls should be enforced across many devices that others may overlook – point-of-sales systems, ATMs and camera systems are just a few examples.

Disconcerting as the current rash of breaches may be, we can use them as an opportunity to harden our defenses. If we don’t, we can be sure that the criminals will eventually find and exploit our weaknesses. 

Matt Lidestri is the Internet and security product manager for Avon, Conn.-based COCC Inc.