Was it a point-of-sale attack? A network breach? Or was it an inside job?

Security experts offer varying opinions about how U.S. retailer Target Corp. may have exposed 40 million U.S. debit and credit accounts (see Target: 40 Million Cards at Risk).

Target is not sharing details beyond what it reported Dec. 19 - that U.S. POS transactions conducted between Nov. 27 and Dec. 15 were likely compromised by a data breach.

In the meantime, banking institutions should educate customers about how to protect themselves from any fraud linked the attack.

Target's Take

In a letter to customers, Target notes that customer names, credit and debit card numbers, as well as card expiration dates and card verification values - three-digit security codes - were exposed during the breach, which was first reported by blogger Brian Krebs on Dec. 18.

"Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts," the retailer says in its statement. "Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident."

Target customers who suspect they may have been impacted have been instructed to contact Target directly and monitor credit accounts. The company operates 1,797 stores in the U.S. and 124 in Canada.

What Happened?

Experts can only theorize about what may have happened to Target. And while fraud expert and Gartner analyst Avivah Litan speculates about whether an insider is to blame for the breach, many other experts say Target's compromise likely resulted from an external attack.

As fraud expert and Aite analyst Shirley Inscoe points out, Target's reference to "unauthorized access" suggests an outside hack.

"This incident appears to be tied to their [point-of-sale] system since [card not present] transactions were not impacted," she adds.

An executive with one of the leading U.S. card issuers affected by the Target attack, who asked not to be named, says he believes about 40,000 of the retailer's 60,000 point-of-sale terminals were infected with an executable file, likely malware that was automatically downloaded from a hacked server. Once infected, the devices were instructed to store and forward mag-stripe data collected during transactions at the POS, the executive says.

"Clearly, it was an external intrusion," the executive says. "It would follow that it was done through the infrastructure that Target uses to send updates down to their POS terminals."

An executive with another leading issuer also says the breach most likely was initiated at the network level, via an external attack, given the breadth of the attack.

Al Pascual, a financial fraud analyst with consultancy Javelin Strategy & Research, says the data leak was likely caused by a POS system attack, given that expiration dates and CVVs were lost. "I seriously doubt Target transmitted that data across an open network in the clear to their processor or stored the data," he adds.

John Buzzard of FICO's Card Alert Service says most indicators suggest Target was struck by an external attack that most likely infected its network with malware.

"A compromise involving all 1,800 U.S. stores would point to more of a virtual intrusion," he says. "I don't think there were criminal minions on the ground physically visiting all 1,800 stores. I think many issuers are also wondering if they will eventually have PIN [personal identification numbers used with debit transactions] exposure around this compromise."