Slashdot Mirror
Target Confirms Point-of-Sale Malware Was Used In Attack
wiredmikey writes "According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country. Steinfhafel told CNBC's Becky Quick in an interview that malware was used in attacks that compromised the company's point of sale registers. According to a report from Reuters, Target and Neiman Marcus may not be alone, as other popular U.S. retailers may have been breached during the busy the holiday shopping season. According sources who spoke to Reuters, attackers used RAM scraper, or Memory parser malware to steal sensitive data from Target and other retail victims. Visa issued alerts about attacks utilizing these types of malware in April 2013 and again in August 2013. Memory parser malware targets payment card data being processed 'in the clear' (unencrypted) in a system's random access memory (RAM). 'The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,' Visa explained in a security advisory."
But was that malware also responsible for a first post?
There's any number of ways their POS system could have been done securely, but somewhere a decision must have been made on costs, in regard to paring them down, which resulted in something about as secure as an intranet of unprotected Windows XP computers exposed to the internet. No isolated network, no encryption, dependence upon commodity *cough* Windows *cough* operating system, etc.
I'm sure it all looked great, until this happened, then they get 200% more wise.
Seems everywhere I go these cheap systems are in place and the malware may already be chugging along for years without detection.
A feeling of having made the same mistake before: Deja Foobar
Somebody should be by soon to defend the l33t crackers involved in this. Can't wait to read it....
"We did you a service, now you know." Of course they won't give up anything they managed to steal.
Brace yourself for new laws.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
It's the only answer to limit exposure to mass fraud.
Those piece of shit registers..
..an amazon prime subscription here. What have you [unlucky ones] had to phone the fraud department about?
Once enough of these flaws of electronic currency exchange are exposed, people will begin the slow march back to a cash only economy. Spectacular displays of insecurity will serve to highlight just how insecure the current system is, with low bidder technology and programmers who simply do not understand security. The cancer will eat the current systems from within and large domination bills and precious metals will become the law of the land. Currently, I keep at least $1000 dollars in cash with me at all times.
"Smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target," Reuters reported, citing sources familiar with the attacks. "Those breaches have yet to come to light...
What the hell, why not? I had to cancel one of my family debit cards because of Target, do I now have to cancel my other one from an unnamed store?
After gaining access to a merchant’s network, attackers can install memory-parsing malware on register systems or backend processing servers to extract magnetic-stripe data as it moves through the through the payment process.
How are they gaining access to Target's network? Maybe it's from the ever-famous wireless network that's in all Target stores, and is prone to attacks, based purely on it's password policy (changes automatically once a month - or doesn't at all - I hear)
“The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,” Visa explained in a security advisory.
Again, how did they not only get into the system, but how'd they know the executable binary that was running? I mean, this isn't something that was done in one day, it had to be a collective goal for more than one person.
Visa first warned about these types of attacks targeting grocery merchants, but said merchant segment is vulnerable. According to Visa, these types memory parser malware attacks have been found only targeting Windows-based operating systems.
This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.
In March 2013, new malware was found targeting point-of-sale (POS) systems and ATMs and was behind the theft of payment card information from several US banks. Called "Dump Memory Grabber", the malware scans the memory of point-of-sale systems and ATMs looking for credit card data.
And how the shit does one gain access to an ATM's RAM?
All in all, I feel that this must have been an inside job of some kind. Not just a Target employee, but a Target employee(s) and someone who has access to ATMs inner-workings.
Politics; n. : A religion whereby man is god.
For Retailers and Credit card providers both, it appears their ability to understand the validity of robust security testing and practices revolves around cost. Not having to pay any perceived penalty due to a data breach means these corporate types can assign a relatively low risk to data breaches. Low risk usually means low test efforts as well. And this is what we as consumers appear to be satisfied with. I'm more of the opinion that if you have a data breach, it should cost you as a company X dollars per person affected...and start X somewhere above 5 figures. Each person would get that payout. How serious then would corporations take data security?
"Work is the curse of the drinking class" Oscar Wilde
Just wondering.
Only shop at $0.99 stores because even thieves know those customers haven't any money to steal.
Cranky educator.
> [...] that malware was used in attacks that compromised the company's point of sale registers.
See?? There is still a market for Windows 98 programmers!
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
PCI-DSS was created to hold merchants to some kind of security standards. There are huge fines if your payment processing system isn't compliant.
Details aren't really that clear, but do we know if Target was in violation of the requirements? Or is this a case of PCI-DSS compliance not guaranteeing security? From what I remember of PCI-DSS, it was a good start but not comprehensive. It seemed more focused on preventing someone from swapping out a legitimate credit card processing device with a compromised one, preventing snooping on the local network, and avoiding having normal unsecured POS devices do credit processing. This attack was at Target's corporate processing core it seems so I don't even know if PCI-DSS applies.
The Card Readers they used should have been encrypted making all sensitive data only decipherable to the processor. There would have been no data "in the clear" even if they were RAM Scraping.
The US of A I expect
haha! That never happens... if it does then it's done by individuals or groups you immigrated here from 3rd world countries.
I worked on POS systems back in the late 90s - so, keep in mind my knowledge is not recent - no really, retailers move at a snails pace when it comes to technology.
First, this was an inside job. POS systems are too stupid to connect to the Internet.
Second, back in my day, the register was a very dumb PC (DOS with an extender and later moved to Windows - yeah, I know). Network security NEVER entered the picture because it is a closed system: POS->Store server->Local/Main office over leased lines or VPN on the internet. The servers were slow shit. All they need to do is record sales data.
In other words, IF the POS servers were in fact connected to the Internet so that crackers could get it, then someone really really really screwed up because there was absolutely no reasons to do so. Too slow.
And if these servers WERE connected to the Internet, all the crackers would see is unencrypted transaction data: CC #s, exp dates, amounts, what was bought, names, and all the other data collected by the POS computer. Yeah, wide open - because it was thought that no one outside the store would ever see it.
Retailing, in general, is a VERY competitive business with razor thin margins. Go to your finance website of choice and compare Walmart's,Target's,Sear's or whoever's operating margins with any other industry's company - Pharma is my favoriate comparison: try Bristol Meyers Sqibb (BMY). So, they take THE cheapest way out every time.
Assuming these POS POS machines suck when it comes to security ... why not
- Install them on their own VLAN in stores
- Deny the VLAN internet access
Simple n'est–ce pas?
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
I must be having some rendering issue in my browser. No matter how many articles I read mentioning "Target Chairman and CEO Gregg Steinhafel", I can never make out the word "outgoing" in front of the title. Not even "embattled". It must be a browser problem. I can imagine some weird bug that would cause such words to be rendered as hidden text; I can't imagine a world where a CEO would emerge unscathed from a screw-up of this magnitude. Right?
I got an e-mail from Target offering me free credit monitoring.
Yeah, they leaked my name, address, credit card number etc and now they want me to sign up for credit monitoring with them. Just input your social security number and answer a few questions ...
We have been hearing about how Target figures out if you're pregnant before your family does. They have been doing all sorts of data mining on people.
I suspect what is leaked is just not the name, address and credit card info on their subscribers. What if they have a profile on each of their customers that is also leaked? What if they compiled all sorts of data about their customers from various sources, like relationships, employment field, estimated incomes and other bits of info from the credit history? What if all that was leaked?
These Russian hackers know their shit.. almost as good as the NSA.
There's a good case to be made for the NSA to go after them at this point.
Who's against the NSA now??
Ah, er, if it were actually the NSA that engaged in protecting against/pursuing/prosecuting these types of things, then yes not as many people would be "Against" them. Alas, they don't (and make no promises to) do anything of the sort. Continuing to snoop on unsuspecting people around the world? That IS in their wheelhouse.
Why are they not using thin clients like VMware, Citrix, with PCoIP? I recently visited a Bob's furniture store and all their POS terminals were thin clients using either RDP, Citrix, or bus virtualization protocols like PCoIP. Same with the terminals at all the centers at another firm.
With the current generation thin clients, particularly the nifty PCoIP ones, local performance is very attainable even though it isn't really needed for POS terminals. VMware has offered PCoIP since 2008 and Amazon has just released their implementation.
I think Target deserves what they got for having POS terminals that are allowed to be locally modified in any way.
Kriston
Who's against the NSA now??
ME
They were quite psychic when selecting this particular acronym.
they should have used bitcoin in the stores.
Build your own energy sources from scratch. http://otherpower.com/
First, target has NOT wiped and re-installed. As such, there are Trojans waiting to come alive and look for other malware to install.
but it gets better. Everybody is missing the fact that all of the companies having this malware offshore their IT. What is happening is that Indians are paid $8-10k, and are then offered 100-200k to release the malware. Of course they do it. They are set up for life and do not hurt their peers.
this will continue as long as American companies are dumb enough to offshore.
Where is girlintraining when you need her? I came here after her previous commentary on having worked at Target, to see if any of this matches her experience. I wanted an insider's take. Uh, oh. Was she "disappeared" after commenting?
I got an e-mail from Target offering me free credit monitoring.
Yeah, they leaked my name, address, credit card number etc and now they want me to sign up for credit monitoring with them. Just input your social security number and answer a few questions ...
Surely, they aren't offering to sign you up with their roll-your-own credit-monitoring system, right? (Because I wouldn't go for that either.) Last time I had a credit card possibly compromised, the retailer at fault gave me a free one year subscription to Equifax's credit monitoring service. I got a coupon code from the retailer, but all the interaction was with the credit bureau.
(For the sake of closure on that anecdote, nothing weird happened over the following year.)
I am not a crackpot.
This is the third, of what is likely to be dozens, of incestuously self referencing blog posts and "news" articles all reverberating the same assumptions, supposition, and lack of factual detail.
They got the credit card data from the point of sale(PoS), where the data is entered. Duh, we knew that. It was malware. We pretty much knew that too, it sorta goes without saying. But, they still haven't actually said what the malware was or did exactly. Though fluffy the reports do pontificate cluelessly about "RAM scrapers" which Visa already warned about. Except that Visa's warnings were for Windows systems and Target uses Linux PoS systems. So, again, we don't really know shit.
So, despite this article's claims of confirmation, here's what we still don't know:
1. How the malware got in or was installed.
2. When the breach first occurred.
3. The specific nature of the malware and which specific system it targeted.
4. The full extent of what was taken.
5. Who did it.
What else have I missed?
These Russian hackers know their shit.. almost as good as the NSA.
There's a good case to be made for the NSA to go after them at this point.
Who's against the NSA now??
Ah, er, if it were actually the NSA that engaged in protecting against/pursuing/prosecuting these types of things, then yes not as many people would be "Against" them. Alas, they don't (and make no promises to) do anything of the sort. Continuing to snoop on unsuspecting people around the world? That IS in their wheelhouse.
I certainly hope they're snooping on unsuspecting people. Otherwise they're not likely to get much useful data.
Say, rather, that they're snooping on far more people than they can reasonably justift as suspects. And on people who are supposed to be completely beyond their jurisdiction.
Surely, they aren't offering to sign you up with their roll-your-own credit-monitoring system, right? (Because I wouldn't go for that either.) Last time I had a credit card possibly compromised, the retailer at fault gave me a free one year subscription to Equifax's credit monitoring service. I got a coupon code from the retailer, but all the interaction was with the credit bureau.
(For the sake of closure on that anecdote, nothing weird happened over the following year.)
Yes, it is through Equifax they say.
The website is here. https://creditmonitoring.target.com/
Only shop at $0.99 stores
What do you eat? Canned tuna and generic oreos?
all the bad boys know the ins and outs of Windows APIs. read the Visa alert, it's only Windows registers that get fooled and compromised.
this is one of those things where using commodity software in any stripe is probably not advised. like, for instance, cars. airplanes. hope to God not nuclear reactors.
embedded Windows is a freakin' end of civilization waiting for the right malware...
if this is supposed to be a new economy, how come they still want my old fashioned money?
Getting PCI compliance certification is not cheap, and you need it if you want integrated payment. So far, not a lot of open source POS systems are lining up to pay for certification...
False! It's dirt cheap, just a couple hundred dollars. You filled out an application, paid a fee, and got an enhanced port scan. How exactly does your shiny new(annually renewed) PCI DSS compliance accreditation protect ANYTHING? PCI compliance testing does nothing beyond proving that you at least installed a consumer grade router/firewall between your card reader, card data storage, and the internet. Litterally nothing between your card data and the internet beyond a 10 year old $50 Linksys router.
But, God forbid your SMTP server utilize weak cyphers, cause that'll fail you right there! Does it matter that no-fucking-body is using TLS to exchange SMTP email? Nope! But, if you get your SMTP TLS fixed, your Linksys firewall will be fully PCI DSS compliant! Give me a fucking break.
But, here's the kicker, IT WILL NEVER BE FIXED. If PCI demanded and enforced real security, it would be FAR to prohibitively expensive for most retailers, especially small shops, to be able to satisfy the requirements. This would cut into the card industries profits. So, they will always make gestures like PCI DSS, but they will never be strong enough to be effective because that would damage Visa's profits.
Remember, boys and girls, this entire debacle costs Visa NOTHING! False charges are olled back and the merchant eats the cost of the fraudulent charges. Your credit card number gets stolen and is used fraudulently to buy lunch at some small restaurant? The restaurant gets the chargeback and eats the loss. Your card number gets used to buy some eBay stuff, same thing happens to the sap that was trying to make a buck on eBay. They lose their goods and their money.
They have no idea who to target, so they literally target the whole world.
If the NSA was any good, they would have seen this attack coming.
The utter failure speaks of their competence.
There are two types of people in the world: Those who crave closure
the link is interesting reading. click it.
if this is supposed to be a new economy, how come they still want my old fashioned money?
This is yet another reason why nobody should be using Windows for their point of sale systems.
The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
Who's against the NSA now??
Me.
Why is it so hard to only have politicians for a few years, then have them go away?
The NSA is an intelligence gathering agency; they are not law enforcement. They have no jurisdictional boundaries to their operations. As a U.S. government agency they are supposed to have to observe some niceties insofar as operating in the U.S. and targeting U.S. citizens what with the Constitution and all. Their failure to always do that is where they've gone wrong. And, as you've indicated, they've probably collected so much information that its getting in the way of useful intelligence analysis. Too much can be worse than not enough. The other fun fact is that they and their allied agencies in other countries seemed to get around some restrictions by letting the "foreigners" do the spying on the domestics for them and then exchanging what they collected.
Very often, people confuse simple with simplistic. The nuance is lost on most. - Clement Mok
Food is different. Virtually nobody buys food with cash. They use credit, debit, food stamps, or check.
Actually, given how much work the NSA put into SELinux, and the fact that had Target run their POS systems on Linux with full SELinux lock down instead of on wide-open Windows, it’s unlikely an attack like this would have been possible.
Sounds like the NSA could have been our saviors here. Shame Target had to go and foul up NSA’s big chance.
Or something . . .
Under various state laws, companies that hold personal private information have a responsibility to notify people when that information is no longer in their control.
Some are statutory periods of time, like 60 days. Others are more nebulous. ("As soon as possible reasonably practicable.")
The longer they wait to report, the more liable to make themselves under the laws.
Pay no attention to the man behind the curtain with all your metadata.
70 million names, addresses, emails, and other personal information data sets we're also stolen.
I'm not sure, but I don't think black boxes at credit card terminals would have solved that problem.
I think Target was data mining, and their database got hacked.
Pay no attention to the man behind the curtain with all your metadata.
This is where the "fusion centers" are supposed to come into play. The NSA is not law enforcement, but the FBI is (was) and so are other Federal and State agencies. As others have pointed out, the NSA should have seen this. They have taps in all of the backbone routers. Surely they have a decent algorithm that highlights data going to (Eastern Europe, China, etc). We know that they are analyzing plain text and decrypting SSL/TLS when plain text is not available.
They should absolutely have a map of legitimate financial networks, payment authorization data flows, etc. Anything outside of that known universe should be flagged and investigated. They are already doing this to combat money laundering, and to enforce the economic sanctions that the State Department and other Federal agencies enact.
The reality is that the NSA is not all about protecting our economy or predicting crime. They are there to uncover and crush any opposition to the government. Sure, they "cannot" catch these massive frauds, or pay attention to intelligence about terrorists planning on blowing up marathons. But trust you me, as soon as any of us start talking about armed insurrection or forcefully removing Senators, we will quickly figure out that the NSA has no problem acting upon what they want to act upon.
Exactly. The other day, IIRC, in a routine traffic stop some guy in the midwest USA was found to have 40 bombs, enough "stuff" to make more bombs, two long guns and two pistols. I don't think the NSA let the cops know about this guy. I haven't heard any more about this but one wonders where this guy was going and what was to be done with what he had in his vehicle. Probably not for some fireworks demonstration.
In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
Seriously. At my last company we wrote point of sale software just as PA-DSS certification was coming into play and we got our software PA-DSS certified. One of the things the QSA is supposed to test is that things like the PIN are stored encrypted in RAM. Eventually we encouraged all our customers to use the Ingentico PIN pads which they customer used and should contain encryption from the processor and run the transaction without our software ever seeing any card data. Just a transaction id and amount...
I remember this because this situation expressly came up in a project meeting when one of the young programmers questioned why it had to be encrypted in RAM. I then showed him a program that could dump and even search the contents of RAM. He wasn't aware that such a thing existed. Although I was rather shocked at how little about operating systems and hardware young CS graduates knew these days. Of course I cam from the systems admin side...so...
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
When I asked in PCWorld around 30 months ago why they weren't using the chip and pin on their tills, the cashier told me it was because it had been compromised - at source - and had been swiping customer details. At that time I had to sign for my purchase (Which is the UK is very unusual over the past 10 years or so)
I never did find any evidence or news article for what he said, but their tills now still use a separate card payment system from a UK bank rather than the one adjoined to their EPOS system.
The NSA is an intelligence gathering agency; they are not law enforcement. They have no jurisdictional boundaries to their operations. As a U.S. government agency they are supposed to have to observe some niceties insofar as operating in the U.S. and targeting U.S. citizens what with the Constitution and all. Their failure to always do that is where they've gone wrong. And, as you've indicated, they've probably collected so much information that its getting in the way of useful intelligence analysis. Too much can be worse than not enough. The other fun fact is that they and their allied agencies in other countries seemed to get around some restrictions by letting the "foreigners" do the spying on the domestics for them and then exchanging what they collected.
Some of us don't consider the 4th Amendment to be a "nicety". That's what warrants are for.
Judgement comes from experience.
Experience comes from poor judgment.
--Robert E. Lee
Whooooosh!
Very often, people confuse simple with simplistic. The nuance is lost on most. - Clement Mok
While there definitely some things that Target did wrong that opened themselves up, and lots of posters have suggested mitigation ideas, none if it matters to Target. They are not going out of business because of this, and their sales haven't dropped year-over-year. Aside from some minor collateral expense and PR, this sort of breach is no big deal for them. There's little reason for them to improve security besides benefitting from the good press that will surely come their way when they do so.
Ah, but you couldn't realistically say that the people are unsuspecting now, after all these revelations, can you?
You must mean: "continuing to violate one or more amendments in the constitution it has sworn to uphold..."
Dominos Pizza has been storing employee and customer data in plain text for years. I even put up a fuss about it. Their reply was "it was designed this way".
There has to be some exploit allowing the malware into the POS device before it can read anything from memory. But I am sure some pointy-haired genius will soon call add a "Sprint" to encrypt everything even in computer memory and registers.
Just because its running linux, doesnt mean its safe... Commonsense "should" prevail, but saving money & profits trump common sense.
VISA just sent us new cards and cancelled our old ones. They didn't specify exactly why, but I shop at Target.
That email "from Target" might be a phish. Careful...
Have you read my blog lately?
Clearly they're "five times newer" and "twice as good".
The Target POS machines were running Linux
Twinstiq, game news
Looks like NSA went on a 'Boy Scout' mission proof-of-concept.
Since the Administration of Harry S. Truman and up to the Obama Junta the "Spy" Agencies of the USA, CIA and NSA, have been locked in a come-what-may kill-all struggle for spying supremacy.
It's 'Natural.' CIA = Human Tech and 'Penatration' whereas NSA = Electronic Tech and 'Infiltration.'
Now a new player arrives in the 'mix.' "Infiltration Penetration" or 'IP' is NSA's new game on the board.
Target, low-brough' retailer whose 'clientele' and head-deep in debt -- no excess cash at all, All debt and drowning in it.
Neman Marcus, 'high-brough' retailer whose 'clientele' are head and shoulders above the 'grunge' and have loads of excess cash to party with. Ah -- loads of excess cash to unload from them! Good!
A certain situation dear to the President portends high: Obamacare is in need of cash to survive!
'White Knight' NSA to the rescue!
NSA will present Obama with a hoard of cash from the Neman Marcus exploit to save Obamacare's ass!
Obama will kiss the Director of the National Security Agency.
In Obama's stoner mind, "National Security" = "Social Security." "Social Security" need money! "National Security" has money. A Deal Made In Heaven.
Obama will offer a marijuana bong and a cocaine enema to Alexander, and Alexander will do a "Gerald Ford" in asking, "what is these?"
Ha ha }:-)
Yes, Target uses Verifone POS terminals running Linux
What he's describing is something that works with their POS without allowing the computer to actually process the transaction or see card data. We have that product at my company as well. I don't do that stuff anymore, but I did help with that project originally and it was a cool idea. ECRi was where the thing plugging into the register is the entire credit card machine and it simply passes back an approval to the POS without any actual card data making it there. It's a hell of a lot more secure than using a PIN pad.
If you think about it, there's basically no reason at all they need to process the actual card with their computers. The POS exists to ring up totals and keep track of things. It does not need to take any part in the actual authorization of the card...that's how shit like THIS happens.
"Those who would sacrifice essential liberties for a little temporary safety deserve neither liberty nor safety." - BenF
I 3 id Software's DOOM! [grin]
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
What to expect of something that was called Piece Of Shit?
The thieves are making up credit and debit cards with the Trojan that activate when their fake cards are being swiped at the POS. I wouldn't be surprised if all the stores have not been compromised. That is why I did all my shopping from home. Not that, is any more secure but from this exploit I'm sure it is. The problem with credit cards here in the US is that you don't know if the scanner has been compromised, if the PC/POS system has been compromised or if you are at a restaurant and you hand the wait staff the card you don't know what they are doing with your card in the back room. I say use cash, on payday you take out 2 or 3 hundred dollars to shop with and use that.
Paul E. Bahre
and if the PINs are not stored at Target (as they insist) but are decrypted and processed at the credit card hardware at the POS ..
Does this mean the malware on the POS systems and ATMs are monitoring and reporting the PIN decryption and processing? Now isn't THAT precious!
It also means that Target's encouraging words, "Oh, we never see or store the decrypted PINs, so they couldn't have been stolen from US!" isn't saying the PINs weren't stolen.
Can anyone explain this so a simple mind can grasp the extent of the threat? Or shall I just go back to pure cash transactions, and credit cards, debit cards, online shopping and transactions be damned?