Hackers can break into PoS systems and merchant networks by exploiting various security holes, but a common method is to steal or brute force remote administration credentials. There are many merchants that rely on third-party companies for technical support and those companies frequently use remote access tools, sometimes with easy-to-guess credentials.
Visa's alert contains recommendations for securing both merchant networks and the PoS systems against malware attacks.
"Use two-factor authentication when accessing the payment processing networks," the credit card company company said. "Even if Virtual Private Networking (VPN) is used, it is important that 2-factor authentication be implemented. This will help to mitigate key logger or credential dumping type of attacks."
Another security measure that could prevent RAM scraping attacks is to implement hardware-based end-to-end, or point-to-point, encryption. This would ensure that card data is not exposed in cleartext at any point on its way to the payment processor. However, implementing this technology could involve acquiring and deploying new PoS terminals and card readers, which can be very expensive for a large retailer.
With the information from a card's magnetic stripe, known as track 1 and track 2 data, cybercriminals can effectively clone the card. However, they also need the PIN in order to withdraw money from an ATM or perform fraudulent transactions with a cloned debit card.
In the Target case the PIN number was reportedly encrypted at the keypads using the Triple Data Encryption Standard algorithm (Triple-DES or 3DES), which is commonly used in the payment industry.
"Due to how the encryption process works, Target does not have access to nor does it store the encryption key within our system," Target said on its website. "The PIN information is encrypted within Target's systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the 'key' necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident."
Some security researchers believe that if Target implemented 3DES encryption as mandated by the payment industry's security standards, using brute force methods to recover the PINs is unlikely to succeed, but others remain skeptical.
The matter of PIN decryption has been widely discussed in underground forums and at the beginning of January a cybercriminal posted a request for help to decrypt 50GB of stolen PIN blocks, Andrey Komarov, the CEO of cybercrime intelligence firm IntelCrawler said via email.
The IntelCrawler researchers followed the discussion and determined that some of the cards in a sample set provided by the hacker had been issued by U.S. and Canadian banks. "The recent request by the underground to decrypt PIN data may be coincidental to the Target breach or possibly some of the actual perpetrators floating the sample to see what resources and success the power of the underground has had or could have given the magnitude and value of the Target breach," they said in a blog post.