Target Confirms Point-of-Sale Malware Was Used In Attack 250
wiredmikey writes "According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country. Steinfhafel told CNBC's Becky Quick in an interview that malware was used in attacks that compromised the company's point of sale registers. According to a report from Reuters, Target and Neiman Marcus may not be alone, as other popular U.S. retailers may have been breached during the busy the holiday shopping season. According sources who spoke to Reuters, attackers used RAM scraper, or Memory parser malware to steal sensitive data from Target and other retail victims. Visa issued alerts about attacks utilizing these types of malware in April 2013 and again in August 2013. Memory parser malware targets payment card data being processed 'in the clear' (unencrypted) in a system's random access memory (RAM). 'The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,' Visa explained in a security advisory."
Re:Cheap architecture + short cuts = DOOM (Score:5, Interesting)
Really, the card companies ought to be black boxing the readers, so that the POS system never has access to unencrypted transaction information to begin with. They really only need to know if the transaction was approved.
They already do this for small retailers (those little card reader/tape dispenser thingies sitting next to the register). They need to start forcing a similar system on the big retailers.
Re:Cheap architecture + short cuts = DOOM (Score:4, Interesting)
Seriously? Unless they radically alter how these things are built and networked, all it would take is one disgruntled cashier (or one willing to accept a percent of the take) + one register that isn't quite visible from the cameras + one appropriately-loaded USB stick (or similar device).
Inside job? (Score:5, Interesting)
"Smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target," Reuters reported, citing sources familiar with the attacks. "Those breaches have yet to come to light...
What the hell, why not? I had to cancel one of my family debit cards because of Target, do I now have to cancel my other one from an unnamed store?
After gaining access to a merchant’s network, attackers can install memory-parsing malware on register systems or backend processing servers to extract magnetic-stripe data as it moves through the through the payment process.
How are they gaining access to Target's network? Maybe it's from the ever-famous wireless network that's in all Target stores, and is prone to attacks, based purely on it's password policy (changes automatically once a month - or doesn't at all - I hear)
“The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,” Visa explained in a security advisory.
Again, how did they not only get into the system, but how'd they know the executable binary that was running? I mean, this isn't something that was done in one day, it had to be a collective goal for more than one person.
Visa first warned about these types of attacks targeting grocery merchants, but said merchant segment is vulnerable. According to Visa, these types memory parser malware attacks have been found only targeting Windows-based operating systems.
This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.
In March 2013, new malware was found targeting point-of-sale (POS) systems and ATMs and was behind the theft of payment card information from several US banks. Called "Dump Memory Grabber", the malware scans the memory of point-of-sale systems and ATMs looking for credit card data.
And how the shit does one gain access to an ATM's RAM?
All in all, I feel that this must have been an inside job of some kind. Not just a Target employee, but a Target employee(s) and someone who has access to ATMs inner-workings.
Re:CASH (Score:2, Interesting)
It's the only answer to limit exposure to mass fraud.
Yeah, because there were no fraud before electronic transactions.. Last report I saw (admittedly around a year ago), old style "manual" money fraud (counterfeit, impersonating, etc.) was still estimated to exceed electronic fraud by order of magnitude.
Re:Cheap architecture + short cuts = DOOM (Score:5, Interesting)
In 2015, EMV becomes required in the US. Those retailers who don't black box their card readers will be 100% liable for fraud at their point-of-sale (including stolen cards).
Re:Cheap architecture + short cuts = DOOM (Score:5, Interesting)
I'm very surprised that Target thinks that every register in every store was infected. Just getting them all running the same malware is a major feat. And how did this POS malware get ahold of the 70 million "guest" records that weren't on the POS devices?
Re:Cheap architecture + short cuts = DOOM (Score:2, Interesting)
I build and support retail management systems, supply chain management, CRM, ERP for retailers, for suppliers, for shipping, logistics and such. The simplest way to use a bank terminal is NOT to connect it to a POS in the first place. But this means lack of integration and possible errors by a POS operator, if for example they have to indicate in the POS system whether the it was a cash or a card transaction, etc. We provide our own Linux based solutions for all parts of the business management, including integrated, linux based POS, but again, the way we integrate it, the POS doesn't even get to see the bank terminal information, it sends the total amount to the terminal and expects a confirmation or a rejection back from it, it doesn't operate the terminal, it is not even possible for the POS to know what is happening between the customer and the terminal. From my POV it is bad form to allow POS to know anything that the terminal does beyond final status of the transaction.
Re:Cheap architecture + short cuts = DOOM (Score:5, Interesting)
I'm sure it all looked great, until this happened, then they get 200% more wise.
Seems everywhere I go these cheap systems are in place and the malware may already be chugging along for years without detection.
I worked for a MAJOR retailer that was involved with a credit card crisis. The only reason the registers didn't get raped was the fact they ran linux. The actual POS servers ran Windows 2000 so that is what got cracked. Management was working hard to get away from these solid state linux computers for the "cost savings" in administration of the Windows platform. I can tell you that a multipurpose platform is not appropriate for a specialized task.
Got email from Target offering free credit monitor (Score:5, Interesting)
I got an e-mail from Target offering me free credit monitoring.
Yeah, they leaked my name, address, credit card number etc and now they want me to sign up for credit monitoring with them. Just input your social security number and answer a few questions ...
We have been hearing about how Target figures out if you're pregnant before your family does. They have been doing all sorts of data mining on people.
I suspect what is leaked is just not the name, address and credit card info on their subscribers. What if they have a profile on each of their customers that is also leaked? What if they compiled all sorts of data about their customers from various sources, like relationships, employment field, estimated incomes and other bits of info from the credit history? What if all that was leaked?
Re:Cheap architecture + short cuts = DOOM (Score:2, Interesting)
ATM keypads don't generate hashes of your pin. They hold a cryptographic key that is dervied form another key from the network and then use the resulting key to encrypt your pin entry, but you are correct. Those keys and your pin number are held in memory on the pin pad.
it gets worse. (Score:3, Interesting)
First, target has NOT wiped and re-installed. As such, there are Trojans waiting to come alive and look for other malware to install.
but it gets better. Everybody is missing the fact that all of the companies having this malware offshore their IT. What is happening is that Indians are paid $8-10k, and are then offered 100-200k to release the malware. Of course they do it. They are set up for life and do not hurt their peers.
this will continue as long as American companies are dumb enough to offshore.
Re: Cheap architecture + short cuts = DOOM (Score:2, Interesting)
Nope. But they all offshored their IT to India.
Re:Cash only economy (Score:4, Interesting)
...then they better start patting down everyone entering or exiting casinos.
As a degenerate gambler and poker player (two different things), I've regularly got plenty of cash on me, and it's never, ever, been a problem. Thousands of people show up to the WSOP every year and pay for buy-ins in cash. Every poker forum gets the same question asked to it ever year before the WSOP, "How do I bring 10-20k in cash with me to the WSOP?" ...and the same answer gets given every year. If you don't want to just wire your entry fee to the tournament cage (or your bankroll to a casino host), or you plan on just playing cash games, call your bank, tell them you're going to withdraw a bunch of cash - so they can have a bunch on hand - then take it with you to the event. If someone says, "Hey's what's all this cash," you say, "I'm a poker player." Works for thousands of us every time.
Of course, I don't wander crack alleys with it, so, YMMV.
Re:Why not thin clients using PCoIP or RDP? (Score:2, Interesting)
I'm curious, if you find security so important, why the hell do you have a link in your sig that directs people to pictures of your entire family? As much as I'm sure we're all thrilled to see your daughters piano recital I can't imagine I'd ever put pics of my kids on the net like that. I guess that's up to you but the slashdot crowd is not who I'd want having every intimate detail of my home life. I'm pretty sure your link would let me steal your identity a lot quicker than any data they got from target.
Re:Cheap architecture + short cuts = DOOM (Score:5, Interesting)
This.
For the attack to happen the way Target says, there must be two MAJOR flaws in their network:
- the POS machines must be accepting software updates from the network - to allow the attackers to download their firmware;
- the POS machines must be able to connect to an arbitrary server not on the Target network - to allow the POS machines to transmit the collected data.
There is no valid reason for either of these. Need to update firmware? Have the IT guy at each store do it manually. And, install a decent firewall so that random machines inside your store can't talk to the outside world. (This will both prevent security breaches, *and* stop the employees in the photo department from surfing the web when they're supposed to be working).
Re:Yes. Inside job without a doubt. (Score:4, Interesting)
It's much, much more likely that hackers penetrated the network by other means, and then, once inside the network, compromised the POS systems -- which could then report back to the intermediary system, which could report out (or be repeatedly accessed from outside).
It's unlikely that the POS systems themselves reached out to the internet. That would have been noticed far, far too easily.
I'm not so sure. I happen to know of a certain well-known vendor of POS systems that is A) sloppy about a lot of things. B) pushing more and more of people's business onto their servers in their cloud. If their customer is also getting Lower Prices Everyday on their IT, so much the easier.
And I do suspect the Cloud. Because infecting store-local systems in enough physical locations to capture 70 million or more accounts would be very labor-intensive. It's far easier to infect the Mothership and let it corrupt the local systems.
Re:Cheap architecture + short cuts = DOOM (Score:5, Interesting)
In 2015, EMV becomes required in the US. Those retailers who don't black box their card readers will be 100% liable for fraud at their point-of-sale (including stolen cards).
Retailers are 100% liable today. And that's the problem!
EMV offers no additional protection whatsoever in a card present scenario unless the customer is required to enter a PIN. Which as you know.. convenience blah blah, speed blah, reasons. And nobody will. Even "einstein" level smart chips are useless without a PIN. What EMV was designed to do is reverse the precident that banks are responsible for bearing the costs of fraud unless the customer can be proven to have been negligent. All EMV is, is an attempt by the industry to dial things back to the way they were pre-2009 -- which was where they could claim the systems were perfect and infallible, therefore all liability is with the customer. It took an act of Congress, also known as the FSA, to override the courts and provide relief to the customers.It's taken a lot of work on the down-low getting key positions in the Senate filled by sympathetic Republicans, but behold! EMV: Now the courts and congress can be fully aligned in their desire to screw over the customer. It's motto might as well be Enter your PIN: Assume full liability.
Also... I don't know what you think "black box" means, but merely separating the card swiper from the cashier's hands is not "black box" in IT; and that's all EMV does. In IT, black box means that the entire interface is subsumed into an external device, not networked, and not user-programmable, and it provides a pass/fail signal or similar. Retail will never, ever, go for this. Your name and zip code is embedded in the card; that's valuable marketing data. They're not going to reduce transactions to what would essentially be anonymous... this is just common sense.
So I'm going to have to slap on the cliche "Citation Needed" onto your assertion. EMV has but one purpose -- to deprive consumers of any recourse to fraud in a card-present scenario, and to reduce liability to the banks in a CNP scenario as well. Fraud is a multi-billion dollar industry, and businesses like fixed costs. Everything about card transactions is a fixed cost to the bank, except for fraud. Make the customer responsible, and now everything is nice and orderly.