Target Confirms Point-of-Sale Malware Was Used In Attack

wiredmikey writes "According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country. Steinfhafel told CNBC's Becky Quick in an interview that malware was used in attacks that compromised the company's point of sale registers. According to a report from Reuters, Target and Neiman Marcus may not be alone, as other popular U.S. retailers may have been breached during the busy the holiday shopping season. According sources who spoke to Reuters, attackers used RAM scraper, or Memory parser malware to steal sensitive data from Target and other retail victims. Visa issued alerts about attacks utilizing these types of malware in April 2013 and again in August 2013. Memory parser malware targets payment card data being processed 'in the clear' (unencrypted) in a system's random access memory (RAM). 'The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,' Visa explained in a security advisory."

Yes. Inside job without a doubt.

I worked on POS systems back in the late 90s - so, keep in mind my knowledge is not recent - no really, retailers move at a snails pace when it comes to technology.

First, this was an inside job. POS systems are too stupid to connect to the Internet.

Second, back in my day, the register was a very dumb PC (DOS with an extender and later moved to Windows - yeah, I know). Network security NEVER entered the picture because it is a closed system: POS->Store server->Local/Main office over leased lines or VPN on the internet. The servers were slow shit. All they need to do is record sales data.

In other words, IF the POS servers were in fact connected to the Internet so that crackers could get it, then someone really really really screwed up because there was absolutely no reasons to do so. Too slow.

And if these servers WERE connected to the Internet, all the crackers would see is unencrypted transaction data: CC #s, exp dates, amounts, what was bought, names, and all the other data collected by the POS computer. Yeah, wide open - because it was thought that no one outside the store would ever see it.

Retailing, in general, is a VERY competitive business with razor thin margins. Go to your finance website of choice and compare Walmart's,Target's,Sear's or whoever's operating margins with any other industry's company - Pharma is my favoriate comparison: try Bristol Meyers Sqibb (BMY). So, they take THE cheapest way out every time.

Re:Cheap architecture + short cuts = DOOM

[DickBreath]

> the card companies ought to be black boxing the readers, so that the POS system never has access to unencrypted transaction information

You're on the right track. Keep going! Don't stop yet.

How about black boxing the cards?!!!

AKA, Smart Cards. The card itself has a complete computer running Java just like the SIM card in your GSM phone. The computer on the smart card is black boxed. That computer has a private certificate. When transactions are signed by the processor in the card itself, the certificate chain can be verified that the certificate within the smart card is genuine and signed the transaction. Attempting to learn the secret data within the smart card destroys the data, or at least is extremely expensive -- and would only compromise that card making the attack not economically attractive.