Target Has Major Credit Card Breach

JoeyRox writes "Target experienced a system-wide breach of credit card numbers over the Black Friday holiday shopping season. What's unique about this massive breach is that it didn't involve compromising a centralized data center or website but instead represented a distributed attack at individual Target stores across the country. Investigators believe customer account numbers were lifted via software installed on card readers at checkout." Also at Slash BI.

Well, with a name like that...

Well with a name like that, I've been avoiding them for years. Can't hurt to play safe.

don't connect everything to the internet!

[Nyder]

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

Re:don't connect everything to the internet!

[Nyder]

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

Guess maybe i'm not thinking. They do need to verify that cards are correct, so they do need some internet access, though they could do it over the phone.

Well, i guess they will still need to rethink the security of this.

Seems to me they readers only need to communicate with a computer in the store, then that computer could do the verifying. Might be a little slower, but would probably be a lot more secure.

Re:don't connect everything to the internet!

[E-Rock]

It's a shame that we probably won't get good details about what happened. If they're PCI compliant, those devices need to be on their own network away from the rest of the company machines. If they were actually doing that, I'd think that they could have caught this with some sort of egress filtering that would either block or alert when it saw CC information going out, or outbound connections from the CC system to unauthorized systems.

Of course, my bet is an inside job. With the right people involved, you can bypass almost anything.

Re:don't connect everything to the internet!

[JWSmythe]

They don't need direct access. Actually, your CC data is suppose to be kept away from the Internet. That's what private circuits are for. In the case of a major retailer like Target, they should be doing all financial transfers over private circuits, with no Internet access.

Someone may have decided it would be cheaper to share the circuit with Internet access. That was *very* dumb of them.

Re:don't connect everything to the internet!

[blincoln]

Who said anything about these devices being compromised by an attack from the internet? There are all sorts of ways to attack them indirectly:

- Compromise the system that manages them, then use that management system to push out compromised firmware or OS updates (depending on the device type - the newer payment terminals are often little Linux machines).
- Compromise the POS registers and capture the data there instead of directly on the terminals.
- Compromise the centralized back-end systems that Target uses for payment authorization. PCI-compliant retailers aren't supposed to capture full track data from the cards, but it might be possible to enable some sort of legacy mode that does just that.
- Compromise the network devices (routers, etc.) that the data is transmitted over. PCI only requires network-level encryption for transmission over untrusted networks, not internal corporate networks.

Etc. etc. Magnetic-stripe cards are a security nightmare, and everything that retailers do related to them is just a band-aid. We (the US) need to move to systems that use one-time codes - like chip-and-PIN - like the entire rest of the world is either in the process of doing or has done already.

Re:don't connect everything to the internet!

[girlintraining]

I thought PCI Compliance was supposed to take care of that per defining the standards in network security for POS (Point of Sales) systems?

It did. The article's scenario is a lie. Let me ask you how likely it is that, during the busiest day of the year for this retailer, with thousands of people jammed into long lines, in the one place where there are at least two high resolution cameras pointed at each terminal, a single person or group of persons, could plant multiple devices at multiple stores, within a short period of time, and then remove them after, without leaving any photographic or forensic evidence.

Because guys, that's the story that law enforcement, in collusion with the company, has released to the general public. So yes, this is bona fide conspiracy theory. But it's credible because 1. It only takes a small number of people to keep the secret: Target's senior management and information security, and select law enforcement offices. 2. They all have motivations for doing so -- law enforcement is doubtless aware that releasing true details of the crime would (a) expose a weakness in a Fortune 100 company that, besides processing credit card payments, also maintains personal health data at these locations (Pharmacy). The damage to the company, and indeed the country's economy, would be far in excess of the damage to individual creditors accounts. It makes sense to lie about it. And this story doesn't have to hold forever -- in a few months, when everyone has forgotten about it, the truth will emerge in a court filing when they bring the people responsible up on charges.

Now, all that said -- here's the more likely scenario, which is based on my short employment with this corporation: They hacked their wifi. Unfortunately, Target has repeatedly opted to silence, or even fire, people who object to their security policy, so I do not feel bad about making this public. Target is run by morons -- big surprise, it's a large corporation. Anyone who's worked in IT will have similar experiences -- it's hardly just Target. In this case, they allow full access to any server within their corporate network at each retail location, isolated only by primitive subnet routing to delineate what is and isn't allowed through the choke router. And that's it. Once you're logged into the network anywhere, it's a flat network topology and you can easily make contact with any other node on the network. Every store has multiple wifi routers, and while they do change the keys on an regular basis, it's not all the keys, and not on all the routers -- specifically, they use an inventory-management system within the stores (Those bulky "guns" you see the red shirts carrying) which depends on wifi.

There have been breaches to the network in the past through its wireless access points. These are not generally known to the public, but they have happened, and it has resulted in a number of security problems. Besides the customer's credit card data being stored on POS systems which are booted off DHCP to embedded windows, there's also the IP-based cameras. There are an average of 20 or so at each store, and they use an embedded webserver in each of them, which stream to a central source. The password for the approximately 42,000 devices is the same on each, and is not changed often, if ever, because the firmware lacks the ability to change the password programmically; there's no admin console. Besides the fact that many of these cameras have zoom and rotate features, and some have been known to be installed in positions where rotating the view can show the customers in the changing rooms... they're of sufficiently high quality that you can see the PINs people enter at the POS systems. The cash room, where the money is counted down at the end of every shift, is secured, but also has a camera in it. It's not hard to imagine someone with access to the cameras spying on the managers to acquire their passwords. And that's not even the creepy part: Target has installed ANPR-capable cameras i

Re:don't connect everything to the internet!

[rmdingler]

"Of course, my bet is an inside job. With the right people involved, you can bypass almost anything."

Temp holiday hiring season combined with the traditionally busiest time of the year... the perfect storm for a well organized attack.

Re:don't connect everything to the internet!

[Charliemopps]

About 10 years ago I used to work for ATT in their "VPN" section. Basically they had a private VPN on their network that was specifically designed for this sort of situation. The data lines were extremely small, like 8k (they could be bigger if desired) and were used almost exclusively by cash registers. These would connect via the VPN to their primary network. Not only was an attack of the VPN difficult, with an 8k transfer rate it would be pretty difficult to send much up to them anyway. I assumed this was how all stores operated but apparently not target.

Re:don't connect everything to the internet!

CVV is on the magnetic strip.

CVV2 is only printed on the card.

Do not confuse them. One of them is used to validate a swiped transaction, one is used to validate a keyed transaction. Any transaction that has both is invalid. A transaction that has neither is ripe for an audit.

Re:don't connect everything to the internet!

[operagost]

PCI compliance says you can't have an open network port available in public areas. That is, if you have a network jack on the floor where people can use it without having their specific MAC authorized, then you're non-compliant.

If Target is PCI compliant, then this is an internal breach.

Chip and Pin

[the+eric+conspiracy]

You would think that these breaches would get the US to update it's security practices.

1. Chip and Pin credit cards.
2. Separate authentication and authorization in the SS system.

Re:Chip and Pin

[Tanktalus]

Why do you think chip and pin would be an update to security practices? We've had that discussion before. Multiple times. It's more security theatre, and I doubt that this attack would have been much more difficult to co-ordinate with chip/pin cards.

Re:Chip and Pin

[Mashiki]

Considering you need the pin for it to work, it becomes a bit more difficult. And it's either going to be 4 or 6 numbers long, so unless at every terminal they're recording the pin, you're talking about brute forcing all known pin's against the card. Most cards lock after 5 failed attempts, plus at least with the Interac system here in Canada, if the otherside doesn't authorize the pin, the chip doesn't authorize the pin you get squat.

It's massively cut down on the bank card, and CC fraud we've been dealing with up here. I'm sure it'll be an arms race again in a few years, but right now it is an improvement in security albeit a small one.

Re:Chip and Pin

[blincoln]

Chip-and-PIN isn't perfect, but it's about a thousand times better than the archaic mag-stripe cards that are still in use in the US.

Mag-stripe cards are a relic of 30-40 years or more ago - similar to social security numbers - where your identification is the same as your authentication. It's a "secret name"-type system where as soon as you tell someone what your account number is, they can do whatever they want with it.

Mag-stripe cards can be cloned easily with a ~$100 reader/encoder that you can order from China on eBay (I have one - it's pretty neat). All you need to do is swipe the card through it once (or through a cheap reader, which you save the data from and then write to a card using the bulkier encoder later). AFAIK with Chip-and-PIN, you would need a lot more time with the card, some expensive hardware, and some reverse-engineering skills instead of just click-the-copy-button skills.

Also, AFAIK, with Chip-and-PIN, you can't clone the card solely by intercepting network or device-to-device traffic. You have to compromise the reader itself. If you can intercept unencrypted network traffic from a mag-stripe transaction, then at a minimum you've got everything you need to use that card fraudulently online, and depending on how bad the system is that's involved, you probably have everything you need to create a full clone of the card.

Re:Chip and Pin

[IamTheRealMike]

AFAIK with Chip-and-PIN, you would need a lot more time with the card, some expensive hardware, and some reverse-engineering skills instead of just click-the-copy-button skills.

Actually it's better than that. Nobody knows how hard it is to clone an EMV card because I'm pretty sure it's never been done (by the non-banking industry). All the attacks on EMV that have been mounted are things like obscure protocol attacks that could be detected by the bank, attacks on very old first generation cards that didn't have CPUs inside them, attacks on weak random number generators inside ATM's and the other sorts of attacks you'd expect to see on an enormous and widely deployed cryptographic system. There have been a few amusingly convoluted social engineering schemes as well.

Some say EMV is the largest crypto system in history, larger even than SSL, and that would not surprise me. But what nobody has reported so far is cloned cards (at least not cloned DDA cards which is what most of the industry is using now for some time already).

The idea that EMV is broken or security theater is an idea pushed by exactly one group, AFAIK, the research group at Cambridge. They've done great work researching flaws in the system and ensuring public sector bug research keeps up with the criminal worlds research, but they also love making dramatic press releases and getting their names on TV, so every time they discover a new (invariably patchable) weakness, they declare it's game over and the entire system is worthless. Not so.

Inside job

[Spy+Handler]

Extremely unlikely that something of this scale and magnitude could've been done without inside help. This is not like the guys who put a card skimmer on the gas pump at the corner gas station.

IT admins at Target are probably getting grilled by FBI as we speak.

I hope no one loses money, but...

[cervesaebraciator]

the inconvenience of getting a new credit card is karma from making Target employees work on Thanksgiving and Black Friday.

Our Target just installed new card readers

[NixieBunny]

The last time I went there, last week, the credit card reader machine was new. I don't know when it went in, as I hadn't been there for a month or two before that.

This must mean something, or not.

Re:Our Target just installed new card readers

[SeaFox]

This must mean something, or not.

...those would be the choices