Target Confirms Point-of-Sale Malware Was Used In Attack 250
wiredmikey writes "According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country. Steinfhafel told CNBC's Becky Quick in an interview that malware was used in attacks that compromised the company's point of sale registers. According to a report from Reuters, Target and Neiman Marcus may not be alone, as other popular U.S. retailers may have been breached during the busy the holiday shopping season. According sources who spoke to Reuters, attackers used RAM scraper, or Memory parser malware to steal sensitive data from Target and other retail victims. Visa issued alerts about attacks utilizing these types of malware in April 2013 and again in August 2013. Memory parser malware targets payment card data being processed 'in the clear' (unencrypted) in a system's random access memory (RAM). 'The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,' Visa explained in a security advisory."
Cheap architecture + short cuts = DOOM (Score:5, Insightful)
There's any number of ways their POS system could have been done securely, but somewhere a decision must have been made on costs, in regard to paring them down, which resulted in something about as secure as an intranet of unprotected Windows XP computers exposed to the internet. No isolated network, no encryption, dependence upon commodity *cough* Windows *cough* operating system, etc.
I'm sure it all looked great, until this happened, then they get 200% more wise.
Seems everywhere I go these cheap systems are in place and the malware may already be chugging along for years without detection.
Somebody should be by soon (Score:3, Insightful)
Somebody should be by soon to defend the l33t crackers involved in this. Can't wait to read it....
"We did you a service, now you know." Of course they won't give up anything they managed to steal.
Brace yourself for new laws.
Re:Cheap architecture + short cuts = DOOM (Score:5, Insightful)
I'm sure it all looked great, until this happened, then they get 200% more wise.
Experience is learning from mistakes you make
Wisdom is learning from the mistakes other people make
Re:Inside job? (Score:5, Insightful)
This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.
GEtting PCI compliance certification is not cheap, and you need it if you want integrated payment. So far, not a lot of open source POS systems are lining up to pay for certification...
Re:Cheap architecture + short cuts = DOOM (Score:5, Insightful)
Re:Cash only economy (Score:5, Insightful)
let's see
in the 80's when soldiers would get paid in cash or real paper checks they would get robbed outside the army base gates on their way to the bank. direct deposit solved that issue
used to be that people kept cash at home. but if your home burns down or you are robbed or whatever, you lose all your money. with CC's you dispute charges and don't lose a dime
POS (Score:4, Insightful)
Re:Yes. Inside job without a doubt. (Score:5, Insightful)
It's much, much more likely that hackers penetrated the network by other means, and then, once inside the network, compromised the POS systems -- which could then report back to the intermediary system, which could report out (or be repeatedly accessed from outside).
It's unlikely that the POS systems themselves reached out to the internet. That would have been noticed far, far too easily.
Re:use bitcoin (Score:5, Insightful)
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000009407
Re:PCI Is Cheap And STUPID! (Score:5, Insightful)
False! It's dirt cheap, just a couple hundred dollars. You filled out an application, paid a fee, and got an enhanced port scan.
That is PCI compliance for a network, not an application. If you have an application that allows credit card swipes, and goes to a clearing house, it needs to be certified as well, and that ain't cheap.
How exactly does your shiny new(annually renewed) PCI DSS compliance accreditation protect ANYTHING? PCI compliance testing does nothing beyond proving that you at least installed a consumer grade router/firewall between your card reader, card data storage, and the internet.
It also shows that you exercised due diligence in securing your network, and prevents you from being sued for gross negligence. You don't need real security if you can show that you had some and therefore can't be sued.
Re:NSA-level shit (Score:4, Insightful)
This is where the "fusion centers" are supposed to come into play. The NSA is not law enforcement, but the FBI is (was) and so are other Federal and State agencies. As others have pointed out, the NSA should have seen this. They have taps in all of the backbone routers. Surely they have a decent algorithm that highlights data going to (Eastern Europe, China, etc). We know that they are analyzing plain text and decrypting SSL/TLS when plain text is not available.
They should absolutely have a map of legitimate financial networks, payment authorization data flows, etc. Anything outside of that known universe should be flagged and investigated. They are already doing this to combat money laundering, and to enforce the economic sanctions that the State Department and other Federal agencies enact.
The reality is that the NSA is not all about protecting our economy or predicting crime. They are there to uncover and crush any opposition to the government. Sure, they "cannot" catch these massive frauds, or pay attention to intelligence about terrorists planning on blowing up marathons. But trust you me, as soon as any of us start talking about armed insurrection or forcefully removing Senators, we will quickly figure out that the NSA has no problem acting upon what they want to act upon.