Forgot your password?
typodupeerror
Security Crime

Target Confirms Point-of-Sale Malware Was Used In Attack 250

Posted by samzenpus
from the weapon-of-choice dept.
wiredmikey writes "According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country. Steinfhafel told CNBC's Becky Quick in an interview that malware was used in attacks that compromised the company's point of sale registers. According to a report from Reuters, Target and Neiman Marcus may not be alone, as other popular U.S. retailers may have been breached during the busy the holiday shopping season. According sources who spoke to Reuters, attackers used RAM scraper, or Memory parser malware to steal sensitive data from Target and other retail victims. Visa issued alerts about attacks utilizing these types of malware in April 2013 and again in August 2013. Memory parser malware targets payment card data being processed 'in the clear' (unencrypted) in a system's random access memory (RAM). 'The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,' Visa explained in a security advisory."
This discussion has been archived. No new comments can be posted.

Target Confirms Point-of-Sale Malware Was Used In Attack

Comments Filter:
  • by ackthpt (218170) on Monday January 13, 2014 @03:16PM (#45942669) Homepage Journal

    There's any number of ways their POS system could have been done securely, but somewhere a decision must have been made on costs, in regard to paring them down, which resulted in something about as secure as an intranet of unprotected Windows XP computers exposed to the internet. No isolated network, no encryption, dependence upon commodity *cough* Windows *cough* operating system, etc.

    I'm sure it all looked great, until this happened, then they get 200% more wise.

    Seems everywhere I go these cheap systems are in place and the malware may already be chugging along for years without detection.

  • by cold fjord (826450) on Monday January 13, 2014 @03:16PM (#45942673)

    Somebody should be by soon to defend the l33t crackers involved in this. Can't wait to read it....

    "We did you a service, now you know." Of course they won't give up anything they managed to steal.

    Brace yourself for new laws.

  • by i.r.id10t (595143) on Monday January 13, 2014 @03:28PM (#45942831)

    I'm sure it all looked great, until this happened, then they get 200% more wise.

    Experience is learning from mistakes you make

    Wisdom is learning from the mistakes other people make

  • Re:Inside job? (Score:5, Insightful)

    by houstonbofh (602064) on Monday January 13, 2014 @03:34PM (#45942943)

    This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.

    GEtting PCI compliance certification is not cheap, and you need it if you want integrated payment. So far, not a lot of open source POS systems are lining up to pay for certification...

  • by catfood (40112) on Monday January 13, 2014 @03:52PM (#45943209) Homepage
    That's because they're not paying the full costs of the damage they allow through poor security practices. If they reimbursed you and me a millions of other people for our time and effort to clean up their mess, it wouldn't be cheaper than solving the problem.
  • by alen (225700) on Monday January 13, 2014 @03:52PM (#45943217)

    let's see
    in the 80's when soldiers would get paid in cash or real paper checks they would get robbed outside the army base gates on their way to the bank. direct deposit solved that issue

    used to be that people kept cash at home. but if your home burns down or you are robbed or whatever, you lose all your money. with CC's you dispute charges and don't lose a dime

  • POS (Score:4, Insightful)

    by ThatsNotPudding (1045640) on Monday January 13, 2014 @04:14PM (#45943497)
    They were quite psychic when selecting this particular acronym.
  • by mythosaz (572040) on Monday January 13, 2014 @04:18PM (#45943535)

    It's much, much more likely that hackers penetrated the network by other means, and then, once inside the network, compromised the POS systems -- which could then report back to the intermediary system, which could report out (or be repeatedly accessed from outside).

    It's unlikely that the POS systems themselves reached out to the internet. That would have been noticed far, far too easily.

  • Re:use bitcoin (Score:5, Insightful)

    by DickBreath (207180) on Monday January 13, 2014 @04:22PM (#45943585) Homepage
    Maybe instead, there is something Target should NOT have used in their store POS systems.

    http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000009407
  • by houstonbofh (602064) on Monday January 13, 2014 @05:26PM (#45944371)

    False! It's dirt cheap, just a couple hundred dollars. You filled out an application, paid a fee, and got an enhanced port scan.

    That is PCI compliance for a network, not an application. If you have an application that allows credit card swipes, and goes to a clearing house, it needs to be certified as well, and that ain't cheap.

    How exactly does your shiny new(annually renewed) PCI DSS compliance accreditation protect ANYTHING? PCI compliance testing does nothing beyond proving that you at least installed a consumer grade router/firewall between your card reader, card data storage, and the internet.

    It also shows that you exercised due diligence in securing your network, and prevents you from being sued for gross negligence. You don't need real security if you can show that you had some and therefore can't be sued.

  • Re:NSA-level shit (Score:4, Insightful)

    by dave562 (969951) on Monday January 13, 2014 @06:38PM (#45945097) Journal

    This is where the "fusion centers" are supposed to come into play. The NSA is not law enforcement, but the FBI is (was) and so are other Federal and State agencies. As others have pointed out, the NSA should have seen this. They have taps in all of the backbone routers. Surely they have a decent algorithm that highlights data going to (Eastern Europe, China, etc). We know that they are analyzing plain text and decrypting SSL/TLS when plain text is not available.

    They should absolutely have a map of legitimate financial networks, payment authorization data flows, etc. Anything outside of that known universe should be flagged and investigated. They are already doing this to combat money laundering, and to enforce the economic sanctions that the State Department and other Federal agencies enact.

    The reality is that the NSA is not all about protecting our economy or predicting crime. They are there to uncover and crush any opposition to the government. Sure, they "cannot" catch these massive frauds, or pay attention to intelligence about terrorists planning on blowing up marathons. But trust you me, as soon as any of us start talking about armed insurrection or forcefully removing Senators, we will quickly figure out that the NSA has no problem acting upon what they want to act upon.

This place just isn't big enough for all of us. We've got to find a way off this planet.

Working...