Retail giant Target has yet to announce exactly how attackers compromised its point-of-sale (POS) devices to steal roughly 40 million credit and debit cards and CVV codes in two and a half weeks, but researchers and security experts have already begun weighing in on the implications of such a colossal breach.
Paul Kocher, president and chief scientist at San Francisco-based cryptography company Cryptography Research, told SCMagazine.com on Thursday – the day Target officially announced the breach – that this incident highlights the need for rapid improvement in PCI requirements for payment systems.
“This standard currently defines an ‘attack potential' for various kinds of threats, but a limitation of this approach is that these calculations tend to overestimate efforts because they don't reflect improvements that creative attackers can find,” Kocher said.
Transitioning to smart cards and other cryptographic payment systems would help by providing retailers with non-reusable transaction authorizations, as opposed to needing all the information required for a transaction, Kocher said.
Avivah Litan, vice president and distinguished analyst at research firm Gartner – who blogged about the breach on Thursday – agreed. “Bottom line: It's time for the U.S. card industry to move to chip/smart cards and stop expecting retailers to patch an insecure payment card system,” she wrote.
Meanwhile, the financial impact of the breach continues to be debated. Litan said that while the actual fraud loss that Target will pay is likely less than $25 million, the fees the retailer will pay the banks may be twice that.
Kocher suggested Target will pay a few hundred million dollars in direct costs, as a result of fines and settlements. On Thursday, at roughly 3 p.m., Kocher explained that the stock market had Target down 2.14 percent, which is about 1.66 percent greater than the day's losses at Walmart and Costco.
“1.66 percent of Target's market cap of $39.3 billion equals $652 million, which is largely attributable to the breach,” Kocher said.
In an email to SCMagazine.com on Friday, Nathaniel Couper-Noles, a principal security consultant at mobile and cloud security company Neohapsis, said that the Target breach is similar to the 2006 breach of TJX, during which roughly 45 million credit and debit cards were compromised. At one point, TJX estimated the cost of that breach at $256 million, he said.