Slashdot Mirror
Target Confirms Point-of-Sale Malware Was Used In Attack
wiredmikey writes "According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country. Steinfhafel told CNBC's Becky Quick in an interview that malware was used in attacks that compromised the company's point of sale registers. According to a report from Reuters, Target and Neiman Marcus may not be alone, as other popular U.S. retailers may have been breached during the busy the holiday shopping season. According sources who spoke to Reuters, attackers used RAM scraper, or Memory parser malware to steal sensitive data from Target and other retail victims. Visa issued alerts about attacks utilizing these types of malware in April 2013 and again in August 2013. Memory parser malware targets payment card data being processed 'in the clear' (unencrypted) in a system's random access memory (RAM). 'The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,' Visa explained in a security advisory."
There's any number of ways their POS system could have been done securely, but somewhere a decision must have been made on costs, in regard to paring them down, which resulted in something about as secure as an intranet of unprotected Windows XP computers exposed to the internet. No isolated network, no encryption, dependence upon commodity *cough* Windows *cough* operating system, etc.
I'm sure it all looked great, until this happened, then they get 200% more wise.
Seems everywhere I go these cheap systems are in place and the malware may already be chugging along for years without detection.
A feeling of having made the same mistake before: Deja Foobar
This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.
GEtting PCI compliance certification is not cheap, and you need it if you want integrated payment. So far, not a lot of open source POS systems are lining up to pay for certification...
let's see
in the 80's when soldiers would get paid in cash or real paper checks they would get robbed outside the army base gates on their way to the bank. direct deposit solved that issue
used to be that people kept cash at home. but if your home burns down or you are robbed or whatever, you lose all your money. with CC's you dispute charges and don't lose a dime
It's much, much more likely that hackers penetrated the network by other means, and then, once inside the network, compromised the POS systems -- which could then report back to the intermediary system, which could report out (or be repeatedly accessed from outside).
It's unlikely that the POS systems themselves reached out to the internet. That would have been noticed far, far too easily.
Maybe instead, there is something Target should NOT have used in their store POS systems.
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000009407
I'll see your senator, and I'll raise you two judges.
False! It's dirt cheap, just a couple hundred dollars. You filled out an application, paid a fee, and got an enhanced port scan.
That is PCI compliance for a network, not an application. If you have an application that allows credit card swipes, and goes to a clearing house, it needs to be certified as well, and that ain't cheap.
How exactly does your shiny new(annually renewed) PCI DSS compliance accreditation protect ANYTHING? PCI compliance testing does nothing beyond proving that you at least installed a consumer grade router/firewall between your card reader, card data storage, and the internet.
It also shows that you exercised due diligence in securing your network, and prevents you from being sued for gross negligence. You don't need real security if you can show that you had some and therefore can't be sued.