Target Data Breach Outlines Need for Application Whitelisting, Flaws in PCI-DSS

As I find myself diving deeper down the rabbit hole of the recent Target data breach and the malware writers behind it, I can't help but keep asking "Why were no safeguards put in place to prevent this?"

For those who didn't hear, there has been an arrest of two Mexican citizens in Texas who were using stolen credit card numbers to purchase goods - and that the case possibly leads back to the Target data compromise.

Quite honestly, with today's computer security suites, there is almost no excuse for a static configured system such as a Point of Sale terminal to ever be infected by a virus. With proper implementation of application whitelisting a system can be protected from even unknown malware.

However, the Payment Card Industry Data Security Standard (PCI-DSS) only requires basic anti-virus coverage to protect against "known" malware, as well as a (network-based) firewall.

Target Customers' Credit Cards Now Available on Black Market

If you shopped at Target any time between November 27th and December 15th, cancel your card now. Target is giving very bad advice that you won't be held responsible for any fraudulent transactions. Even if caught, fraudulent transactions could quickly become a complete nightmare, resulting in the inability to pay bills or buy groceries.

As an update to my post  Target Should Offer Free Credit Monitoring for Impacted Customers, customer credit cards have now been posted to the black market.

This is in complete contrast to statements previously made by Target claiming that there is no reason to cancel your credit cards.

Target is now claiming they will offer free credit monitoring services for everyone affected. If you shopped at Target during this time period with your credit or bank card, you should hold them to their word on this.

Target is also offering a 10% discount to customers who shop on the 20th and 21st. Personally I think this is a slap in the face to their customers, and many will have a hard time shopping and they probably won't have a credit card anymore, since they should cancel their card and have the bank issue a new one.

Target Should Offer Free Credit Monitoring for Impacted Customers

In case you haven't heard, Target has been the victim of a massive network breach potentially impacting all credit card customers who shopped between November 27 and December 15 of this year, including Black Friday.

Normally when this happens, organizations try to make amends with their customers, often with free credit monitoring and identity theft protection for a year.

However, Target has chosen to take a potentially more damaging route (from a PR perspective), and simply direct customers to monitor their own accounts and request a free credit report.

Now it is understandable that Target is hesitant to do so, since credit monitoring services could potentially cost between $100 and $200 per person. Since 40 million customers are affected, this means Target would need to take a loss between $4 and $8 billion. According to MarketWatch Target's yearly profit has been approx. $20 billion. This would significantly impact their bottom line - but the potential loss of customers could be even more damaging.

Target - the ball is in your court. This could potentially make or break your company. Do you want to do the right thing and provide credit protection for customers? Or do you want to risk tarnishing the Target brand forever?

For historical reference, T.J. Maxx was forced to provide credit monitoring for customers.

Note: The blog author's family is most likely included in the list of affected customers.