How The Hackers Did It: A Dicussion About Target's Data Breach
MELISSA BLOCK, HOST:
Target is apologizing in full-page newspaper ads for a massive cybersecurity breach. Hackers stole the credit card numbers of 40 million Target shoppers over the holiday season. And on Friday, the retailer acknowledged that the names, mailing addresses, phone numbers and email addresses of at least 70 million customers were also stolen. Neiman Marcus has also admitted it was a victim of hacking, but has not said how many customers were affected. And according to Reuters, three other well-known U.S. retailers were the recent targets of similar breaches.
For more on just how this hacking works, I'm joined by Mark Rasch. He's a former Justice Department prosecutor for cybercrimes. Mark, welcome to the program.
MARK RASCH: Thank you.
BLOCK: And technically, help us understand how the payment card data was taken. What happens?
RASCH: Well, so far, Target has not released explicit details on how it was taken. But it seems to have been taken from two different places. One is from the point-of-sale terminal. That's the place where you swipe your credit card. They were able to scrape data off of there. And the second place is from inside Target itself; where they store your name, your address and your email address.
BLOCK: OK. I want to ask you about that term. You're scraping data. What does that mean? What happens there?
RASCH: You have data stored on your credit card, on the magnetic stripe. And it's got to be read by a machine to get into, say, Target's computer system. So it's read into the machine at this point-of-sale terminal, when you hand your card over and it's swiped. It's stored in something called RAM, random access memory. And the computer hackers have come up with something called a RAM scraper. And what it does, it sucks up that data and sends it to the hackers.
BLOCK: The data is supposed to be encrypted, though, right?
RASCH: It has to be read first and then encrypted. So the key for the hackers is to get it before it gets encrypted. And that's why they're using these RAM scrapers.
BLOCK: We mentioned the additional information that we now know was stolen besides the credit card numbers - all of the personal information; names, addresses, phone numbers. What would that allow hackers to do?
RASCH: If you have a lot of personal information about somebody, then you can do more than just commit credit card fraud. You can actually become those people. So you can get new credit in their name. You can apply for mortgages and bank loans in their name, and that's identity theft and identity fraud. That's much more serious than simple credit card fraud.
BLOCK: Help us understand how the black market in these credit card numbers works. Once the information is stolen, what happens to it?
RASCH: The problem for hackers is now they have a bunch of credit card numbers, and they want to turn that into money. So what they do is, they will sell the credit card numbers on the black market through these hacker or carder websites, C-A-R-D-E-R. And people will buy them; and they'll buy them based upon whether they're a gold card or a platinum card, and what the credit limit is, and what bank issued it and whether it's a U.S. bank. And they have different values. So people will buy the cards and once they buy the cards, they'll turn them into actual, physical plastic cards all over the world - buy goods, buy services, then sell those on the black market as well. So it's a fairly sophisticated operation.
BLOCK: Who's running this black market?
RASCH: Well, there are lots of people. A lot of it comes out of eastern Europe. A lot of it coming out of the former Soviet republics. But even within the fencing - that is to turn the goods that you buy at a Best Buy into money - that can happen anywhere in the world; typically, Southeast Asia, Africa and South America.
BLOCK: And for investigators, how do you go about trying to shut this market down?
RASCH: Well, there's two ways you're going to investigate this. One is to look at the Target store - when did they get hacked, how do they get hacked, how did the data get out? And the second one is follow the money backwards. So you see where the products that were bought with the stolen cards are coming from, and work your way backwards. Hopefully, that's how you catch these guys.
BLOCK: Is there much of a history of successful prosecution? I mean, if all of this is as open as you seem to say it is, with these websites where you can trade in these numbers, it would seem like people should be able to shut this down.
RASCH: To a great extent, U.S. law enforcement is playing a game of whack-a-mole. We catch one, and a dozen more pop up. But there have been successful prosecutions, and there are people in jail in the United States - and around the world - for participating in these carder activities. You only catch a small percentage of them. And with tens of millions of credit card numbers floating around, they have a big incentive not to get caught and a lot of resources with which they can hide.
BLOCK: Mark Rasch is a former cybercrime prosecutor at the Justice Department. Mark, thanks for coming in.
RASCH: Thank you.
(SOUNDBITE OF MUSIC)
NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR’s programming is the audio.