U.S. consumers have many protections but no guarantees against credit card fraud

GWEN IFILL: The retail chain Target confirmed that hackers breached tens of millions of credit card and debit accounts at the height of the shopping season, just before Thanksgiving and right up until Dec. 15.

The theft occurred when people swiped their cards in store, not online. The retailer confirmed that customers' names, credit card and debit card numbers and security codes were stolen. It's the latest in a series of major breaches in recent years.

We explore them with Steve Surdu of Mandiant, a cyber-security firm.

How did 40 million accounts get compromised?

STEVE SURDU, Mandiant: Well, we don't know the details at this point in time. They're still investigating.

But, obviously, information had to be siphoned off from the organization. Attackers almost certainly came in from outside, put software in place that allowed them to aggregate the information over time and then remove it, so that they could use it.

GWEN IFILL: Put software in place in each individual store or at some central server?

STEVE SURDU: That's also unknown. Either one is possible.

In order to have as much of impact as they have had with 40 million cards, it would seem likely that they have had access at the centralized part of the organization in the central network that maybe allowed them to reach into the individual point-of-sale systems, or at least distribute the software from that central point into many point-of-sale systems.

GWEN IFILL: And an inside job, perhaps?

STEVE SURDU: Not likely.

There are a lot of situations like this that we have seen over time. And it's never been an insider, not in our experience. And we have dealt with hundreds of these situation.

GWEN IFILL: Well, let's talk about these kinds of situations. You say that this happened before. This is only unusual in its size?


I don't know if it's's unprecedented, but in the past breaches like the TJX breach.

GWEN IFILL: Which is T.J. Maxx stores.


Hannaford. There have been other, not just retail breaches, but breaches of financial institutions, payment processors, that are similar, in that the attacker came in from the outside, aggregated information and removed it.

GWEN IFILL: Let's talk about hardware for a moment. Why does it make a difference that it happened with people who swiped their cards? Would it have happened if you just handed your card over in some other way?

STEVE SURDU: Just handed your card over, I guess…

GWEN IFILL: To the cashier, say.


GWEN IFILL: They're going to swipe it too, I guess.

STEVE SURDU: Yes. You're not going to get — in order to do this on a large scale, it has to be automated.

GWEN IFILL: And so what period of time are we talking about here? We heard from before Thanksgiving until December 15. But it wouldn't — would it take longer get that many, or is it just because the shopping season is in full swing?

STEVE SURDU: Well, it's high volumes now, so this is the right time to do it.

I think it's still really early in the investigation. My guess, because it sounds like they only said they were able to contain it as of the 15th, my guess is they discovered it relatively recently, put the brakes, the stops on whatever activity was going on, and I think now they should be deep into an investigation, which may take a considerable amount of time still.

GWEN IFILL: Now, a lot of the people who are watching this story who perhaps have just gotten home from doing a little Christmas shopping are thinking to themselves, who is liable? Who gives me back my money if I have fallen victim to this?

STEVE SURDU: Well, the card brands make sure that the individual consumer doesn't have that type of liability.

If you contact your credit card organization, your issuing bank as quickly as possible if you see fraud charges, you're always indemnified from that. So that shouldn't be an issue that anyone needs to worry about.

GWEN IFILL: Is the store itself, is the chain itself responsible?

STEVE SURDU: Well, responsible — ultimately, they would have financial obligation to the card brands.

There typically would be fines if they were found to be in breach of the payment card industry security standards.

GWEN IFILL: And what responsibility do consumers have to make sure that — to protect themselves, or is there anything they can do at all to protect themselves from this kind of intrusion?

STEVE SURDU: In this type of situation, there isn't much a consumer can do. They're really putting their confidence in the institution they're dealing with.

And all they can do is check their cards, their statements to make sure that, if they see inappropriate activity, they respond to it quickly.

GWEN IFILL: Are you saying that even after all the hacking episodes we have seen, we have survived, that technology is such that there is no way to protect against something like this happening?

STEVE SURDU: Oh, there are many protections. There are many different things that you can do to ward off it.

But there aren't any guarantees. You can't ever say that you're absolutely secure. Security is an asymmetrical type of issue, where you can protect yourself in thousands of different ways, and the attacker only needs to find one way in.

GWEN IFILL: Well, get — just give me an example of one way to protect, for the company to protect its consumers.


A company typically would perform assessments of their environment to determine whether they had vulnerabilities the attackers could take advantage of in their Web sites, so they would test them to see if they have problems. They would evaluate their computers to see if they configured them inappropriately, because there are known ways to take advantage of systems, so they would be self-inspecting those types of things.

GWEN IFILL: So the very first thing that happens is, is there is self-inspection from the retailer or, as I saw today, the Secret Service gets involved in this?

STEVE SURDU: The Secret Service would be involved to help them investigate, but wouldn't be there to help them defend themselves.

Many — almost all major organizations have full-time security staffs, where they are always looking at their environment and trying to make sure that they're up to date on their software, that if they find a problem, they fix it. But it's a tough thing. The larger the environment, the more difficult it is to find and resolve the issues.


Steve Surdu from Mandiant research, thanks for helping us out.

STEVE SURDU: Thank you.