Cyber experts are calling the breach at Home Depot the biggest hack in the history of American retail. The breach began in April and coursed through the retailer’s systems for five months undetected.
Atlanta-based Home Depot admitted Thursday that 56 million customer credit card and pin numbers had been stolen. Many of those ended up for sale on cyber black markets, dumped in batches with names like “American Sanctions.” In a press release, Home Depot did not say how much damage, at least in dollars, had been caused.
“Looks like they got more credit card numbers from Home Depot than they did at Target,” said cyberwarfare expert Robert Twitchell, who has followed the mysterious attack.
Hackers attacked Target in December with an aggressively quiet strain of malware called BlackPOS that remained undetected long enough for the cyber thugs to siphon over 40 million credit card and pin numbers. And, as with the Home Depot breach, the malware was inserted into Target’s Point of Service terminals.
That attack cost Target more than $100 million. Till now, Target was considered the biggest hit ever unleashed in the United States.
Home Depot’s release emphasized what it has been doing to fix the issue:
“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements. The hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores.”
No matter how much information is uncovered by Secret Service forensic investigators, who are leading the investigation, or Symantec, which is also working the case, Twitchell said more breaches like this are assuredly on their way. Since cyber defense technologies that help prevent such breaches are not yet in place, at least not with big retailers, the victim tally will mount.
“It’s a Confucious type of question,” said Twitchell, founder of Dispersive Technologies in Atlanta, just down the street from Home Depot’s HQ.
In the case of the Home Depot, Twitchell, who maintains a security clearance for his work for the U.S. Department of Defense, said one of the main problems is that existing detection systems used by U.S. retailers are available right off the shelf.
What this means, he said, is that hackers have access to the systems used by their targets, so they spend time quietly hacking them, which prepares them for their actual hit.
“Hackers have an advantage in that they can practice against firewalls, ISP systems, and RTP’s, or Real-time Transport Protocols,” a standard packet format that facilitates delivery of real-time video and audio over IP networks, he said.
“Point of Sale devices typically use DES (Data Encryption Standard) or TDES. Many retail companies such as Home Depot will use the Microsoft 56 bit or 128 bit encryption. The data from the PoS devices typically aggregate the transaction information at a server and then send it out,” he said.
“It’s a well-known fact that encryption can be broken. Hackers aren’t necessarily doing it real time; they may be grabbing the traffic and using man-in-the-middle attacks to gather the data, but it doesn’t matter. If the data isn’t time sensitive, and here it’s not, the hackers can spend a couple of days if necessary to crack the encryption,” he added.
“And, they can probably do it with a couple of computers, so their cost may be all of $25,000 or $50,000, including their labor. Not a bad return!”
In fact, the power of modern processors, whose speed Intel doubles every 18 months, is assisting cyber thugs, who harness their power for brute force attempts at encrypted passwords. Brute force attacks are thought to be responsible for the recent penetration of Apple’s iCloud moat in August. Criminals lifted nude pictures of celebrities from their accounts and posted them online.
For Twitchell, who has worked at Nokia and Motorola, the only reasonable remedy at this point is to adapt advanced electronic warfare tactics. Otherwise, the cyber security veteran said, the next serious intrusion, already in the planning stages, will succeed like Target and Home Depot.