Target Has Major Credit Card Breach

JoeyRox writes "Target experienced a system-wide breach of credit card numbers over the Black Friday holiday shopping season. What's unique about this massive breach is that it didn't involve compromising a centralized data center or website but instead represented a distributed attack at individual Target stores across the country. Investigators believe customer account numbers were lifted via software installed on card readers at checkout." Also at Slash BI.

Well, with a name like that...

Well with a name like that, I've been avoiding them for years. Can't hurt to play safe.

don't connect everything to the internet!

[Nyder]

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

Re:don't connect everything to the internet!

[Nyder]

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

Guess maybe i'm not thinking. They do need to verify that cards are correct, so they do need some internet access, though they could do it over the phone.

Well, i guess they will still need to rethink the security of this.

Seems to me they readers only need to communicate with a computer in the store, then that computer could do the verifying. Might be a little slower, but would probably be a lot more secure.

Re:don't connect everything to the internet!

[E-Rock]

It's a shame that we probably won't get good details about what happened. If they're PCI compliant, those devices need to be on their own network away from the rest of the company machines. If they were actually doing that, I'd think that they could have caught this with some sort of egress filtering that would either block or alert when it saw CC information going out, or outbound connections from the CC system to unauthorized systems.

Of course, my bet is an inside job. With the right people involved, you can bypass almost anything.

Re:don't connect everything to the internet!

[DigiShaman]

I thought PCI Compliance was supposed to take care of that per defining the standards in network security for POS (Point of Sales) systems?

http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

Re:don't connect everything to the internet!

[JWSmythe]

They don't need direct access. Actually, your CC data is suppose to be kept away from the Internet. That's what private circuits are for. In the case of a major retailer like Target, they should be doing all financial transfers over private circuits, with no Internet access.

Someone may have decided it would be cheaper to share the circuit with Internet access. That was *very* dumb of them.

Re:don't connect everything to the internet!

[mysidia]

Someone may have decided it would be cheaper to share the circuit with Internet access. That was *very* dumb of them.

There are perfectly safe ways of doing this -- it's called a VPN, and an isolated network behind the firewall whose only WAN is the VPN connection, to access approved systems; and be monitored by approved systems.

Re:don't connect everything to the internet!

[AK+Marc]

They do direct-authorization. The two common ways of doing that are having an analogue line per terminal and every terminal dial in. You remember hearing the dial in sounds for cards, right? That takes 20 seconds per card, and more if it has trouble (and is prone to trouble). Or, you have it connect to the same database, but over a VPN or private network. VPNs are cheaper, so more common. sub-5 second authorization. More reliable. The Internet wins. But that doesn't excuse lax physical security of the "trusted" authorization machines.

Re:don't connect everything to the internet!

[blincoln]

Who said anything about these devices being compromised by an attack from the internet? There are all sorts of ways to attack them indirectly:

- Compromise the system that manages them, then use that management system to push out compromised firmware or OS updates (depending on the device type - the newer payment terminals are often little Linux machines).
- Compromise the POS registers and capture the data there instead of directly on the terminals.
- Compromise the centralized back-end systems that Target uses for payment authorization. PCI-compliant retailers aren't supposed to capture full track data from the cards, but it might be possible to enable some sort of legacy mode that does just that.
- Compromise the network devices (routers, etc.) that the data is transmitted over. PCI only requires network-level encryption for transmission over untrusted networks, not internal corporate networks.

Etc. etc. Magnetic-stripe cards are a security nightmare, and everything that retailers do related to them is just a band-aid. We (the US) need to move to systems that use one-time codes - like chip-and-PIN - like the entire rest of the world is either in the process of doing or has done already.

Re:don't connect everything to the internet!

[girlintraining]

I thought PCI Compliance was supposed to take care of that per defining the standards in network security for POS (Point of Sales) systems?

It did. The article's scenario is a lie. Let me ask you how likely it is that, during the busiest day of the year for this retailer, with thousands of people jammed into long lines, in the one place where there are at least two high resolution cameras pointed at each terminal, a single person or group of persons, could plant multiple devices at multiple stores, within a short period of time, and then remove them after, without leaving any photographic or forensic evidence.

Because guys, that's the story that law enforcement, in collusion with the company, has released to the general public. So yes, this is bona fide conspiracy theory. But it's credible because 1. It only takes a small number of people to keep the secret: Target's senior management and information security, and select law enforcement offices. 2. They all have motivations for doing so -- law enforcement is doubtless aware that releasing true details of the crime would (a) expose a weakness in a Fortune 100 company that, besides processing credit card payments, also maintains personal health data at these locations (Pharmacy). The damage to the company, and indeed the country's economy, would be far in excess of the damage to individual creditors accounts. It makes sense to lie about it. And this story doesn't have to hold forever -- in a few months, when everyone has forgotten about it, the truth will emerge in a court filing when they bring the people responsible up on charges.

Now, all that said -- here's the more likely scenario, which is based on my short employment with this corporation: They hacked their wifi. Unfortunately, Target has repeatedly opted to silence, or even fire, people who object to their security policy, so I do not feel bad about making this public. Target is run by morons -- big surprise, it's a large corporation. Anyone who's worked in IT will have similar experiences -- it's hardly just Target. In this case, they allow full access to any server within their corporate network at each retail location, isolated only by primitive subnet routing to delineate what is and isn't allowed through the choke router. And that's it. Once you're logged into the network anywhere, it's a flat network topology and you can easily make contact with any other node on the network. Every store has multiple wifi routers, and while they do change the keys on an regular basis, it's not all the keys, and not on all the routers -- specifically, they use an inventory-management system within the stores (Those bulky "guns" you see the red shirts carrying) which depends on wifi.

There have been breaches to the network in the past through its wireless access points. These are not generally known to the public, but they have happened, and it has resulted in a number of security problems. Besides the customer's credit card data being stored on POS systems which are booted off DHCP to embedded windows, there's also the IP-based cameras. There are an average of 20 or so at each store, and they use an embedded webserver in each of them, which stream to a central source. The password for the approximately 42,000 devices is the same on each, and is not changed often, if ever, because the firmware lacks the ability to change the password programmically; there's no admin console. Besides the fact that many of these cameras have zoom and rotate features, and some have been known to be installed in positions where rotating the view can show the customers in the changing rooms... they're of sufficiently high quality that you can see the PINs people enter at the POS systems. The cash room, where the money is counted down at the end of every shift, is secured, but also has a camera in it. It's not hard to imagine someone with access to the cameras spying on the managers to acquire their passwords. And that's not even the creepy part: Target has installed ANPR-capable cameras i

Re:don't connect everything to the internet!

[Cramer]

It almost always takes more than 20sec. And it requires a real (circuit switched) phone line. For small retailers, this works. For a big chain store, with dozen of lanes, individually processing each CC transaction would be complete murder; no one is going to wait even 30s for a CC authorization these days. How long did your last CC purchase take? Under 5s? Now imagine standing there for 45s.

Re:don't connect everything to the internet!

[ruir]

You are spot on sir. And this is why at my bank, I always have refused their multiple suggestions to do Internet banking. I tell them flatly I work in the field, and know how weak the process is.

Re:don't connect everything to the internet!

[ruir]

Actually it has. No activated account until I request so, not using it in any terminal at all also (in the case it was activated by default), and plausible deniability. If in any case at all, anything is ever lifted via the Internet banking mechanism, I never had access to it, nor any password. From what I have seen in projects I have been indirectly involved, I would not want this guys to design my home network, much less a bank network. And then I dont trust their choice of Internet facing operating systems too.

Re:don't connect everything to the internet!

[rmdingler]

"Of course, my bet is an inside job. With the right people involved, you can bypass almost anything."

Temp holiday hiring season combined with the traditionally busiest time of the year... the perfect storm for a well organized attack.

Re:don't connect everything to the internet!

[Charliemopps]

About 10 years ago I used to work for ATT in their "VPN" section. Basically they had a private VPN on their network that was specifically designed for this sort of situation. The data lines were extremely small, like 8k (they could be bigger if desired) and were used almost exclusively by cash registers. These would connect via the VPN to their primary network. Not only was an attack of the VPN difficult, with an 8k transfer rate it would be pretty difficult to send much up to them anyway. I assumed this was how all stores operated but apparently not target.

Re:don't connect everything to the internet!

CVV is on the magnetic strip.

CVV2 is only printed on the card.

Do not confuse them. One of them is used to validate a swiped transaction, one is used to validate a keyed transaction. Any transaction that has both is invalid. A transaction that has neither is ripe for an audit.

Re:don't connect everything to the internet!

[operagost]

PCI compliance says you can't have an open network port available in public areas. That is, if you have a network jack on the floor where people can use it without having their specific MAC authorized, then you're non-compliant.

If Target is PCI compliant, then this is an internal breach.

Re:don't connect everything to the internet!

[GTRacer]

According to Target's press release on their site, REDcard was hit too. My REDcard goes to my debit account, but then again, I used my debit card there in the breach span too. Prolly also my credit card. Considering having all card providers issue new cards which should sort this nicely.

Re:don't connect everything to the internet!

I've heard from a couple sources, which I'm trying to find citations for again, the breach was due to a pushed update from the POS provider. It isn't mentioned in the majority of the reports, so I don't know if it's because there's no truth in that or the information was not in the official release to prevent potential backlash before coming to a solid finding.

Chip and Pin

[the+eric+conspiracy]

You would think that these breaches would get the US to update it's security practices.

1. Chip and Pin credit cards.
2. Separate authentication and authorization in the SS system.

Re:Chip and Pin

[Tanktalus]

Why do you think chip and pin would be an update to security practices? We've had that discussion before. Multiple times. It's more security theatre, and I doubt that this attack would have been much more difficult to co-ordinate with chip/pin cards.

Re:Chip and Pin

[Mashiki]

Considering you need the pin for it to work, it becomes a bit more difficult. And it's either going to be 4 or 6 numbers long, so unless at every terminal they're recording the pin, you're talking about brute forcing all known pin's against the card. Most cards lock after 5 failed attempts, plus at least with the Interac system here in Canada, if the otherside doesn't authorize the pin, the chip doesn't authorize the pin you get squat.

It's massively cut down on the bank card, and CC fraud we've been dealing with up here. I'm sure it'll be an arms race again in a few years, but right now it is an improvement in security albeit a small one.

Re:Chip and Pin

[blincoln]

Chip-and-PIN isn't perfect, but it's about a thousand times better than the archaic mag-stripe cards that are still in use in the US.

Mag-stripe cards are a relic of 30-40 years or more ago - similar to social security numbers - where your identification is the same as your authentication. It's a "secret name"-type system where as soon as you tell someone what your account number is, they can do whatever they want with it.

Mag-stripe cards can be cloned easily with a ~$100 reader/encoder that you can order from China on eBay (I have one - it's pretty neat). All you need to do is swipe the card through it once (or through a cheap reader, which you save the data from and then write to a card using the bulkier encoder later). AFAIK with Chip-and-PIN, you would need a lot more time with the card, some expensive hardware, and some reverse-engineering skills instead of just click-the-copy-button skills.

Also, AFAIK, with Chip-and-PIN, you can't clone the card solely by intercepting network or device-to-device traffic. You have to compromise the reader itself. If you can intercept unencrypted network traffic from a mag-stripe transaction, then at a minimum you've got everything you need to use that card fraudulently online, and depending on how bad the system is that's involved, you probably have everything you need to create a full clone of the card.

Re:Chip and Pin

[IamTheRealMike]

AFAIK with Chip-and-PIN, you would need a lot more time with the card, some expensive hardware, and some reverse-engineering skills instead of just click-the-copy-button skills.

Actually it's better than that. Nobody knows how hard it is to clone an EMV card because I'm pretty sure it's never been done (by the non-banking industry). All the attacks on EMV that have been mounted are things like obscure protocol attacks that could be detected by the bank, attacks on very old first generation cards that didn't have CPUs inside them, attacks on weak random number generators inside ATM's and the other sorts of attacks you'd expect to see on an enormous and widely deployed cryptographic system. There have been a few amusingly convoluted social engineering schemes as well.

Some say EMV is the largest crypto system in history, larger even than SSL, and that would not surprise me. But what nobody has reported so far is cloned cards (at least not cloned DDA cards which is what most of the industry is using now for some time already).

The idea that EMV is broken or security theater is an idea pushed by exactly one group, AFAIK, the research group at Cambridge. They've done great work researching flaws in the system and ensuring public sector bug research keeps up with the criminal worlds research, but they also love making dramatic press releases and getting their names on TV, so every time they discover a new (invariably patchable) weakness, they declare it's game over and the entire system is worthless. Not so.

Re:Chip and Pin

[makomk]

In practice, those obscure protocol attacks that could be detected by the bank weren't detected by the bank - they didn't bother looking for them and deleted the logs which would indicate if they were used. Some people in the UK had fraudulent transactions that were likely caused by this attack being used in the wild (in fact that's why researchers went looking for it in the first place), but the customers ended up liable for them because they couldn't prove it since the bank had deleted the logs.

Re:Chip and Pin

[IamTheRealMike]

If you're thinking of the RNG thing, actually some banks did still have the logs which is why they were able to identify the problem in the first place. But yes not all banks are so careful.

Don't get me wrong. It's good that people research EMV, and the task isn't easy. I respect the Cambridge team for that reason. But when they talk to the media or about their work in general, they act as if friendly fraud doesn't exist and EMV is just one giant scam by banks. That's ridiculous. "Friendly fraud" (that's the technical term for it) where the consumer defrauds the bank/merchant is not only a thing, but a highly prevalent and measurable thing. EMV protects sellers by shifting payment security to the buyer, who is typically the one who can most affect it, by keeping their PIN safe. It's not OK that banks don't seem to be pen-testing their own systems aggressively enough, although of course as the system is closed we don't know about the mistakes their own development teams did catch. But it's not useless, and nor is the liability shift. After all, in commerce it takes two to tango.

Inside job

[Spy+Handler]

Extremely unlikely that something of this scale and magnitude could've been done without inside help. This is not like the guys who put a card skimmer on the gas pump at the corner gas station.

IT admins at Target are probably getting grilled by FBI as we speak.

Glad I paid cash a few days ago

[sandytaru]

I only paid cash because it was such a trivial amount - under ten dollars - but I should make a point of doing it more often. I've been a victim of this before, when they targeted Office Max several years ago. Wiped out $1300 from my checking account. Thankfully, Wachovia's fraud department paid back every penny, including overdraft fees, but it was just awful for that month it took to get resolved to have to borrow money to pay bills since I didn't have a credit card.

Re:Glad I paid cash a few days ago

[philip.paradis]

You should have switched to a better bank, or rather a decent credit union. When this happened to me, Navy Federal Credit Union returned all the funds to my account within four hours.

I hope no one loses money, but...

[cervesaebraciator]

the inconvenience of getting a new credit card is karma from making Target employees work on Thanksgiving and Black Friday.

Our Target just installed new card readers

[NixieBunny]

The last time I went there, last week, the credit card reader machine was new. I don't know when it went in, as I hadn't been there for a month or two before that.

This must mean something, or not.

Re:Our Target just installed new card readers

[SeaFox]

This must mean something, or not.

...those would be the choices

Re:Wouldn't be surprised if Wal-Mart was...

[DaHat]

It wouldn't surprise me if /. user KrazyDave was behind the whole plot... and subsequently trying to plant false stories to divert attention.

I Stopped Shopping At Target

I went into a Target a couple years ago to buy a copy of GTA IV, and they insisted on scanning the barcode off the back of my driver's license. I refused to allow them to scan my driver's license, and they refused to sell me the game. (I'm 50 years old and with a grey beard, so it wasn't to be sure that I was old enough.) I haven't been into a Target since, so this story is no problem for me! :)

What if it wasn't the credit card auth?

[ai4px]

I see in many of the comments that the probable method of attack was sniffing the outbound traffic... but w hat if the hack was embedded in a firmware update on all the cash registers? The cash register gets the CC number from the POS keypad, right?

Re:What if it wasn't the credit card auth?

[ediron2]

From what I understand (IANA PCI Expert) POS gets the card number less and less.

Some POS magnetic heads now come with encryption literally built into the head elements. The cardswipe heads encrypt card data, then send the encrypted chunk to the card processor. The card processor sends back confirmation data. Newer systems are capable of making it so that the closest that Target gets to your data is a token that is not the card data: it can be reused by the business (adjustments, additional charges if you're at a hotel, that sort of thing), but it only makes sense to the point of sale and the processor: 'We agree that 1555-5555-5555-1515' will map to a card ending in 1515, owned by Jane Doe'.

The cardswipe system has a PKI methodology that enables the processor updating the encryption keys. So, keys are processor-specific, processor controlled. Point of Sale never touches the keys, the card data... they just get little accountant-friendly tokens.

This is pretty new stuff, so it's likely NOT in place at Target.

Please, if I misunderstand this aspect of P2PE, some PCI expert is welcome to fix my understanding.