Target
Carried out in the midst of the busiest shopping season of the year, the data breach at Target Corporation in 2013 allowed the attackers to get away with 70 million customers' Personal Identifiable Information (PII) and credit card data from some 40 million customers. The multi-step attack began with the theft of HVAC vendor's credentials for Target's vendor management web portal. From there, the attackers deployed the "Kaptoxa" malware on many of Target's Point-Of-Sale (POS) networks and exfiltrated stolen data from inside the corporate network via FTP to the attacker-controlled server.
Fig. 3: Components & network for Target input scenario
Figure 3 depicts the network connection (EN) and devices (VN) considered in this scenario. Representing a standard enterprise network, a large retailer such as Target typically has 100s or 1000s of locations, each with numerous point-of-sale (POS) stations that accept and process customer payments. The model includes K store locations, each with TK POS machines which are connected via a switch to a back-of-house (BoH) server. This BoH server connects to a central payment server at the corporate network, which interfaces with external financial institutions to verify transactions. The corporate network also includes a directory server, a web server, and a database server.
Fig. 4: Transaction operation for Target input scenario
Arguably the most important system operation in this scenario is the handling of consumer credit card information during POS transactions. Figure 4 depicts this process. Here the vertices VO denote the major operations from the POS terminal, a store's BoH Server, and the Bank responsible for clearing the transaction, while the edges EO imply sequential order. The mapping function MapO in this case assigns specific devices to the roles described above (e.g., POS Terminal 5 in Store #300). Additional system operations in this scenario could include the POS Terminal or BoH Server's software update process, or the process for collecting and storing personally identifiable information (PII) in the company database.