Target Confirms Point-of-Sale Malware Was Used In Attack 250
wiredmikey writes "According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country. Steinfhafel told CNBC's Becky Quick in an interview that malware was used in attacks that compromised the company's point of sale registers. According to a report from Reuters, Target and Neiman Marcus may not be alone, as other popular U.S. retailers may have been breached during the busy the holiday shopping season. According sources who spoke to Reuters, attackers used RAM scraper, or Memory parser malware to steal sensitive data from Target and other retail victims. Visa issued alerts about attacks utilizing these types of malware in April 2013 and again in August 2013. Memory parser malware targets payment card data being processed 'in the clear' (unencrypted) in a system's random access memory (RAM). 'The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,' Visa explained in a security advisory."
Yes. Inside job without a doubt. (Score:5, Informative)
I worked on POS systems back in the late 90s - so, keep in mind my knowledge is not recent - no really, retailers move at a snails pace when it comes to technology.
First, this was an inside job. POS systems are too stupid to connect to the Internet.
Second, back in my day, the register was a very dumb PC (DOS with an extender and later moved to Windows - yeah, I know). Network security NEVER entered the picture because it is a closed system: POS->Store server->Local/Main office over leased lines or VPN on the internet. The servers were slow shit. All they need to do is record sales data.
In other words, IF the POS servers were in fact connected to the Internet so that crackers could get it, then someone really really really screwed up because there was absolutely no reasons to do so. Too slow.
And if these servers WERE connected to the Internet, all the crackers would see is unencrypted transaction data: CC #s, exp dates, amounts, what was bought, names, and all the other data collected by the POS computer. Yeah, wide open - because it was thought that no one outside the store would ever see it.
Retailing, in general, is a VERY competitive business with razor thin margins. Go to your finance website of choice and compare Walmart's,Target's,Sear's or whoever's operating margins with any other industry's company - Pharma is my favoriate comparison: try Bristol Meyers Sqibb (BMY). So, they take THE cheapest way out every time.
Re:Cheap architecture + short cuts = DOOM (Score:5, Informative)
You're on the right track. Keep going! Don't stop yet.
How about black boxing the cards?!!!
AKA, Smart Cards. The card itself has a complete computer running Java just like the SIM card in your GSM phone. The computer on the smart card is black boxed. That computer has a private certificate. When transactions are signed by the processor in the card itself, the certificate chain can be verified that the certificate within the smart card is genuine and signed the transaction. Attempting to learn the secret data within the smart card destroys the data, or at least is extremely expensive -- and would only compromise that card making the attack not economically attractive.
PCI Is Cheap And STUPID! (Score:3, Informative)
Getting PCI compliance certification is not cheap, and you need it if you want integrated payment. So far, not a lot of open source POS systems are lining up to pay for certification...
False! It's dirt cheap, just a couple hundred dollars. You filled out an application, paid a fee, and got an enhanced port scan. How exactly does your shiny new(annually renewed) PCI DSS compliance accreditation protect ANYTHING? PCI compliance testing does nothing beyond proving that you at least installed a consumer grade router/firewall between your card reader, card data storage, and the internet. Litterally nothing between your card data and the internet beyond a 10 year old $50 Linksys router.
But, God forbid your SMTP server utilize weak cyphers, cause that'll fail you right there! Does it matter that no-fucking-body is using TLS to exchange SMTP email? Nope! But, if you get your SMTP TLS fixed, your Linksys firewall will be fully PCI DSS compliant! Give me a fucking break.
But, here's the kicker, IT WILL NEVER BE FIXED. If PCI demanded and enforced real security, it would be FAR to prohibitively expensive for most retailers, especially small shops, to be able to satisfy the requirements. This would cut into the card industries profits. So, they will always make gestures like PCI DSS, but they will never be strong enough to be effective because that would damage Visa's profits.
Remember, boys and girls, this entire debacle costs Visa NOTHING! False charges are olled back and the merchant eats the cost of the fraudulent charges. Your credit card number gets stolen and is used fraudulently to buy lunch at some small restaurant? The restaurant gets the chargeback and eats the loss. Your card number gets used to buy some eBay stuff, same thing happens to the sap that was trying to make a buck on eBay. They lose their goods and their money.
heh, all oursourced at the stores (Score:4, Informative)
the link is interesting reading. click it.
Re:use bitcoin (Score:4, Informative)
They're trying to pull it. Here's the text:-
4-page Case Study
Posted: 3/17/2011
Rate This Evidence:
[Click on the stars to rate this case study] [Click on the stars to rate this case study] [Click on the stars to rate this case study] [Click on the stars to rate this case study] [Click on the stars to rate this case study]
Target Corporation Large Retailer Relies on a Virtual Solution to Deliver Optimal Shopping Experience
With its attractive stores offering trendy merchandise at affordable prices, Target changed how consumers think about discount shopping. To help Target deliver on its “Expect More. Pay Less.” brand promise, Target chooses reliable, scalable, and cost-effective technology. That’s why the company is deploying Windows Server 2008 Datacenter and its Hyper-V virtualization technology to retire 8,650 servers and implement a two-servers-per-store policy. By 2012, Target’s entire store server infrastructure will be running on Hyper-V, which will support a total of 15,000 virtual machines running mission-critical applications. Target also deployed Microsoft System Center data center solutions to manage more than 300,000 endpoints across its retail network. With its Microsoft Virtualization solution, the company will save millions of dollars in hardware, electrical, and maintenance costs.
Situation
The first Target store opened in 1962 in the Minneapolis suburb of Roseville, Minnesota, with a focus on convenient shopping at competitive discount prices. Today, Target remains committed to providing guests with the right merchandise mix—from everyday commodities and grocery offerings to trend-right home and apparel lines—at outstanding value. Target continually reinvents its stores, including layout, presentation, and merchandise assortment, to create an engaging shopping experience.
*
* It’s not hyperbole to suggest that most of our guest shopping experiences are affected by our Microsoft Virtualization solution. That’s a good thing for Target, and it’s a good thing for our guests. *
Brad Thompson
Director, Infrastructure Engineering, Target
*
To continue offering merchandise at appealing prices, Target looks for ways to control its operating costs. Consequently, the company’s IT department, called Target Technology Services, chooses technology that’s cost-effective and delivers real business value. “Target Technology Services is considered a strategic enabler for just about everything we do in retail strategy,” says Brad Thompson, Director of Infrastructure Engineering at Target. “That said, we are still a cost center, and so we are always looking to drive down costs where possible, as long as we meet the requirements of our guests, our application development teams, and our business partners.“
Amy Reilly, Spokesperson for Target, points out that technology also underlies the customer experience at each Target store: “When our guests come into our stores, they have a certain expectation of their experience. They expect clean, wide aisles and to find what they need and check out quickly because they lead busy lives. So reliability in our technology, including our POS [point-of-sale] and replenishment applications, is very important to helping us deliver on our ‘Expect More. Pay Less.’ brand promise.”
Distributed IT Infrastructure
Target has a highly distributed IT infrastructure with more than 300,000 endpoints, including servers, computers, POS registers, kiosks, and mobile devices dispersed among its 1,755 retail stores. Except for centralized authentication, domain name resolution, and endpoint monitoring services, each retail store functions as an autonomous unit. “Every one of our stores has its own control room, with its own network and compute capacity inside the store,” says Thompson. “So if you think of our infrastructure across all those stores, we have to get very crea
Re:Cheap architecture + short cuts = DOOM (Score:5, Informative)
Need to update firmware? Have the IT guy at each store do it manually.
Wait, what? That's exactly the opposite of how a large shop runs their operations. You create an image that you want applied to all machines that match a certain profile, and then let the machines do the updates at a preconfigured time.
Re:Yes. Inside job without a doubt. (Score:2, Informative)
That's how it used to be.
These days, they usually have the same type of in-house network, often the POS terminals are just repackaged PC gear in a custom shell/case. Sometimes they run them as terminals, sometimes are a locked-down client with a custom OS. These do not, as you mention, have any internet access.
But the main server will have some kind of connection, in order to upload transaction data and do inventory synchs with Warehousing. And it's cheaper to do that over the internet via VPN tunnel than it is to buy up actual point to point circuits. And well hell, let's offer free Wi-Fi as well! and even though generally those networks are kept segregated, it means there are a lot more scenarios for exploits to happen. So if you can get some malware to push out to the store servers, you very easily might not need to infect the client workstations at all. And in turn, you might find a way to ride into the network from the clients.
Re:Cheap architecture + short cuts = DOOM (Score:3, Informative)
You might be interested in reading:
ISO 8583 [wikipedia.org]
and also, How pin checking generally works [wikipedia.org]