Slashdot Mirror
Target Confirms Point-of-Sale Malware Was Used In Attack
wiredmikey writes "According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country. Steinfhafel told CNBC's Becky Quick in an interview that malware was used in attacks that compromised the company's point of sale registers. According to a report from Reuters, Target and Neiman Marcus may not be alone, as other popular U.S. retailers may have been breached during the busy the holiday shopping season. According sources who spoke to Reuters, attackers used RAM scraper, or Memory parser malware to steal sensitive data from Target and other retail victims. Visa issued alerts about attacks utilizing these types of malware in April 2013 and again in August 2013. Memory parser malware targets payment card data being processed 'in the clear' (unencrypted) in a system's random access memory (RAM). 'The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,' Visa explained in a security advisory."
There's any number of ways their POS system could have been done securely, but somewhere a decision must have been made on costs, in regard to paring them down, which resulted in something about as secure as an intranet of unprotected Windows XP computers exposed to the internet. No isolated network, no encryption, dependence upon commodity *cough* Windows *cough* operating system, etc.
I'm sure it all looked great, until this happened, then they get 200% more wise.
Seems everywhere I go these cheap systems are in place and the malware may already be chugging along for years without detection.
A feeling of having made the same mistake before: Deja Foobar
Somebody should be by soon to defend the l33t crackers involved in this. Can't wait to read it....
"We did you a service, now you know." Of course they won't give up anything they managed to steal.
Brace yourself for new laws.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
"Smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target," Reuters reported, citing sources familiar with the attacks. "Those breaches have yet to come to light...
What the hell, why not? I had to cancel one of my family debit cards because of Target, do I now have to cancel my other one from an unnamed store?
After gaining access to a merchant’s network, attackers can install memory-parsing malware on register systems or backend processing servers to extract magnetic-stripe data as it moves through the through the payment process.
How are they gaining access to Target's network? Maybe it's from the ever-famous wireless network that's in all Target stores, and is prone to attacks, based purely on it's password policy (changes automatically once a month - or doesn't at all - I hear)
“The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,” Visa explained in a security advisory.
Again, how did they not only get into the system, but how'd they know the executable binary that was running? I mean, this isn't something that was done in one day, it had to be a collective goal for more than one person.
Visa first warned about these types of attacks targeting grocery merchants, but said merchant segment is vulnerable. According to Visa, these types memory parser malware attacks have been found only targeting Windows-based operating systems.
This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.
In March 2013, new malware was found targeting point-of-sale (POS) systems and ATMs and was behind the theft of payment card information from several US banks. Called "Dump Memory Grabber", the malware scans the memory of point-of-sale systems and ATMs looking for credit card data.
And how the shit does one gain access to an ATM's RAM?
All in all, I feel that this must have been an inside job of some kind. Not just a Target employee, but a Target employee(s) and someone who has access to ATMs inner-workings.
Politics; n. : A religion whereby man is god.
It's the only answer to limit exposure to mass fraud.
Yeah, because there were no fraud before electronic transactions.. Last report I saw (admittedly around a year ago), old style "manual" money fraud (counterfeit, impersonating, etc.) was still estimated to exceed electronic fraud by order of magnitude.
> [...] that malware was used in attacks that compromised the company's point of sale registers.
See?? There is still a market for Windows 98 programmers!
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
The Card Readers they used should have been encrypted making all sensitive data only decipherable to the processor.
It sounds like it was encrypted, and the malware was on the processor.
There would have been no data "in the clear" even if they were RAM Scraping.
The article claimed it had to be decrypted in memory in order to process it. I think this is a fundamental limitation of the credit system.
And that is why it is unlikely there will be some big (or slow) revolution to go cash based. All the methods of handling your money have advantages, disadvantages, emotional attachments, and probabilities associated with them, with each person or demographic group weighing them differently.
I worked on POS systems back in the late 90s - so, keep in mind my knowledge is not recent - no really, retailers move at a snails pace when it comes to technology.
First, this was an inside job. POS systems are too stupid to connect to the Internet.
Second, back in my day, the register was a very dumb PC (DOS with an extender and later moved to Windows - yeah, I know). Network security NEVER entered the picture because it is a closed system: POS->Store server->Local/Main office over leased lines or VPN on the internet. The servers were slow shit. All they need to do is record sales data.
In other words, IF the POS servers were in fact connected to the Internet so that crackers could get it, then someone really really really screwed up because there was absolutely no reasons to do so. Too slow.
And if these servers WERE connected to the Internet, all the crackers would see is unencrypted transaction data: CC #s, exp dates, amounts, what was bought, names, and all the other data collected by the POS computer. Yeah, wide open - because it was thought that no one outside the store would ever see it.
Retailing, in general, is a VERY competitive business with razor thin margins. Go to your finance website of choice and compare Walmart's,Target's,Sear's or whoever's operating margins with any other industry's company - Pharma is my favoriate comparison: try Bristol Meyers Sqibb (BMY). So, they take THE cheapest way out every time.
let's see
in the 80's when soldiers would get paid in cash or real paper checks they would get robbed outside the army base gates on their way to the bank. direct deposit solved that issue
used to be that people kept cash at home. but if your home burns down or you are robbed or whatever, you lose all your money. with CC's you dispute charges and don't lose a dime
I must be having some rendering issue in my browser. No matter how many articles I read mentioning "Target Chairman and CEO Gregg Steinhafel", I can never make out the word "outgoing" in front of the title. Not even "embattled". It must be a browser problem. I can imagine some weird bug that would cause such words to be rendered as hidden text; I can't imagine a world where a CEO would emerge unscathed from a screw-up of this magnitude. Right?
Needs to be a little more complex. Any easy way around your measure would be to have a compromised jump box somewhere else on Target's network. POS machines send data to jump box, jump box uploads it to internet. Access to the POS VLAN needs to be tightly controlled- but then you need to pull logs of some of them, put patches and updates on them, authenticate users, after a while your VLAN has lots of holes in it.
I got an e-mail from Target offering me free credit monitoring.
Yeah, they leaked my name, address, credit card number etc and now they want me to sign up for credit monitoring with them. Just input your social security number and answer a few questions ...
We have been hearing about how Target figures out if you're pregnant before your family does. They have been doing all sorts of data mining on people.
I suspect what is leaked is just not the name, address and credit card info on their subscribers. What if they have a profile on each of their customers that is also leaked? What if they compiled all sorts of data about their customers from various sources, like relationships, employment field, estimated incomes and other bits of info from the credit history? What if all that was leaked?
These Russian hackers know their shit.. almost as good as the NSA.
There's a good case to be made for the NSA to go after them at this point.
Who's against the NSA now??
Ah, er, if it were actually the NSA that engaged in protecting against/pursuing/prosecuting these types of things, then yes not as many people would be "Against" them. Alas, they don't (and make no promises to) do anything of the sort. Continuing to snoop on unsuspecting people around the world? That IS in their wheelhouse.
Why are they not using thin clients like VMware, Citrix, with PCoIP? I recently visited a Bob's furniture store and all their POS terminals were thin clients using either RDP, Citrix, or bus virtualization protocols like PCoIP. Same with the terminals at all the centers at another firm.
With the current generation thin clients, particularly the nifty PCoIP ones, local performance is very attainable even though it isn't really needed for POS terminals. VMware has offered PCoIP since 2008 and Amazon has just released their implementation.
I think Target deserves what they got for having POS terminals that are allowed to be locally modified in any way.
Kriston
The people who have been pushing gold and silver on us for a while have said the same thing. However, there are a few problems with that:
1: If someone even got an inkling that someone was carrying a large amount of cash for a purchase, they likely would be mugged. Someone nearby seeing someone at McDonalds having a large wad in their wallet might make them a prime target. The reason why muggings are down is because it is a lot harder to make any useful money from a pile of credit cards. It can be done, but it is easily traced.
2: Fundamentally, our currency exchange system is working. It just needs a cryptographic overhaul, work with tokenization, and separation of duties. That way, it would require attacking individual registers physically instead of pushing code from remote, and even then, the "black box" that one inputs a PIN from would be isolated, so one might get a hashed, encrypted value, and that's it.
3: Physical cash is slower. I can make a purchase online in seconds. To do the same thing in paper bills would take days to weeks.
They were quite psychic when selecting this particular acronym.
First, target has NOT wiped and re-installed. As such, there are Trojans waiting to come alive and look for other malware to install.
but it gets better. Everybody is missing the fact that all of the companies having this malware offshore their IT. What is happening is that Indians are paid $8-10k, and are then offered 100-200k to release the malware. Of course they do it. They are set up for life and do not hurt their peers.
this will continue as long as American companies are dumb enough to offshore.
Maybe instead, there is something Target should NOT have used in their store POS systems.
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000009407
I'll see your senator, and I'll raise you two judges.
...then they better start patting down everyone entering or exiting casinos.
As a degenerate gambler and poker player (two different things), I've regularly got plenty of cash on me, and it's never, ever, been a problem. Thousands of people show up to the WSOP every year and pay for buy-ins in cash. Every poker forum gets the same question asked to it ever year before the WSOP, "How do I bring 10-20k in cash with me to the WSOP?" ...and the same answer gets given every year. If you don't want to just wire your entry fee to the tournament cage (or your bankroll to a casino host), or you plan on just playing cash games, call your bank, tell them you're going to withdraw a bunch of cash - so they can have a bunch on hand - then take it with you to the event. If someone says, "Hey's what's all this cash," you say, "I'm a poker player." Works for thousands of us every time.
Of course, I don't wander crack alleys with it, so, YMMV.
I got an e-mail from Target offering me free credit monitoring.
Yeah, they leaked my name, address, credit card number etc and now they want me to sign up for credit monitoring with them. Just input your social security number and answer a few questions ...
Surely, they aren't offering to sign you up with their roll-your-own credit-monitoring system, right? (Because I wouldn't go for that either.) Last time I had a credit card possibly compromised, the retailer at fault gave me a free one year subscription to Equifax's credit monitoring service. I got a coupon code from the retailer, but all the interaction was with the credit bureau.
(For the sake of closure on that anecdote, nothing weird happened over the following year.)
I am not a crackpot.
Surely, they aren't offering to sign you up with their roll-your-own credit-monitoring system, right? (Because I wouldn't go for that either.) Last time I had a credit card possibly compromised, the retailer at fault gave me a free one year subscription to Equifax's credit monitoring service. I got a coupon code from the retailer, but all the interaction was with the credit bureau.
(For the sake of closure on that anecdote, nothing weird happened over the following year.)
Yes, it is through Equifax they say.
The website is here. https://creditmonitoring.target.com/
all the bad boys know the ins and outs of Windows APIs. read the Visa alert, it's only Windows registers that get fooled and compromised.
this is one of those things where using commodity software in any stripe is probably not advised. like, for instance, cars. airplanes. hope to God not nuclear reactors.
embedded Windows is a freakin' end of civilization waiting for the right malware...
if this is supposed to be a new economy, how come they still want my old fashioned money?
Getting PCI compliance certification is not cheap, and you need it if you want integrated payment. So far, not a lot of open source POS systems are lining up to pay for certification...
False! It's dirt cheap, just a couple hundred dollars. You filled out an application, paid a fee, and got an enhanced port scan. How exactly does your shiny new(annually renewed) PCI DSS compliance accreditation protect ANYTHING? PCI compliance testing does nothing beyond proving that you at least installed a consumer grade router/firewall between your card reader, card data storage, and the internet. Litterally nothing between your card data and the internet beyond a 10 year old $50 Linksys router.
But, God forbid your SMTP server utilize weak cyphers, cause that'll fail you right there! Does it matter that no-fucking-body is using TLS to exchange SMTP email? Nope! But, if you get your SMTP TLS fixed, your Linksys firewall will be fully PCI DSS compliant! Give me a fucking break.
But, here's the kicker, IT WILL NEVER BE FIXED. If PCI demanded and enforced real security, it would be FAR to prohibitively expensive for most retailers, especially small shops, to be able to satisfy the requirements. This would cut into the card industries profits. So, they will always make gestures like PCI DSS, but they will never be strong enough to be effective because that would damage Visa's profits.
Remember, boys and girls, this entire debacle costs Visa NOTHING! False charges are olled back and the merchant eats the cost of the fraudulent charges. Your credit card number gets stolen and is used fraudulently to buy lunch at some small restaurant? The restaurant gets the chargeback and eats the loss. Your card number gets used to buy some eBay stuff, same thing happens to the sap that was trying to make a buck on eBay. They lose their goods and their money.
the link is interesting reading. click it.
if this is supposed to be a new economy, how come they still want my old fashioned money?
They're trying to pull it. Here's the text:-
4-page Case Study
Posted: 3/17/2011
Rate This Evidence:
[Click on the stars to rate this case study] [Click on the stars to rate this case study] [Click on the stars to rate this case study] [Click on the stars to rate this case study] [Click on the stars to rate this case study]
Target Corporation Large Retailer Relies on a Virtual Solution to Deliver Optimal Shopping Experience
With its attractive stores offering trendy merchandise at affordable prices, Target changed how consumers think about discount shopping. To help Target deliver on its “Expect More. Pay Less.” brand promise, Target chooses reliable, scalable, and cost-effective technology. That’s why the company is deploying Windows Server 2008 Datacenter and its Hyper-V virtualization technology to retire 8,650 servers and implement a two-servers-per-store policy. By 2012, Target’s entire store server infrastructure will be running on Hyper-V, which will support a total of 15,000 virtual machines running mission-critical applications. Target also deployed Microsoft System Center data center solutions to manage more than 300,000 endpoints across its retail network. With its Microsoft Virtualization solution, the company will save millions of dollars in hardware, electrical, and maintenance costs.
Situation
The first Target store opened in 1962 in the Minneapolis suburb of Roseville, Minnesota, with a focus on convenient shopping at competitive discount prices. Today, Target remains committed to providing guests with the right merchandise mix—from everyday commodities and grocery offerings to trend-right home and apparel lines—at outstanding value. Target continually reinvents its stores, including layout, presentation, and merchandise assortment, to create an engaging shopping experience.
*
* It’s not hyperbole to suggest that most of our guest shopping experiences are affected by our Microsoft Virtualization solution. That’s a good thing for Target, and it’s a good thing for our guests. *
Brad Thompson
Director, Infrastructure Engineering, Target
*
To continue offering merchandise at appealing prices, Target looks for ways to control its operating costs. Consequently, the company’s IT department, called Target Technology Services, chooses technology that’s cost-effective and delivers real business value. “Target Technology Services is considered a strategic enabler for just about everything we do in retail strategy,” says Brad Thompson, Director of Infrastructure Engineering at Target. “That said, we are still a cost center, and so we are always looking to drive down costs where possible, as long as we meet the requirements of our guests, our application development teams, and our business partners.“
Amy Reilly, Spokesperson for Target, points out that technology also underlies the customer experience at each Target store: “When our guests come into our stores, they have a certain expectation of their experience. They expect clean, wide aisles and to find what they need and check out quickly because they lead busy lives. So reliability in our technology, including our POS [point-of-sale] and replenishment applications, is very important to helping us deliver on our ‘Expect More. Pay Less.’ brand promise.”
Distributed IT Infrastructure
Target has a highly distributed IT infrastructure with more than 300,000 endpoints, including servers, computers, POS registers, kiosks, and mobile devices dispersed among its 1,755 retail stores. Except for centralized authentication, domain name resolution, and endpoint monitoring services, each retail store functions as an autonomous unit. “Every one of our stores has its own control room, with its own network and compute capacity inside the store,” says Thompson. “So if you think of our infrastructure across all those stores, we have to get very crea
The NSA is an intelligence gathering agency; they are not law enforcement. They have no jurisdictional boundaries to their operations. As a U.S. government agency they are supposed to have to observe some niceties insofar as operating in the U.S. and targeting U.S. citizens what with the Constitution and all. Their failure to always do that is where they've gone wrong. And, as you've indicated, they've probably collected so much information that its getting in the way of useful intelligence analysis. Too much can be worse than not enough. The other fun fact is that they and their allied agencies in other countries seemed to get around some restrictions by letting the "foreigners" do the spying on the domestics for them and then exchanging what they collected.
Very often, people confuse simple with simplistic. The nuance is lost on most. - Clement Mok
Of course cops outside of casinos wouldn't do that as it would destroy the local economy. I'm referring to getting pulled over at a traffic stop.
If you get pulled over and a cop finds out that you are carrying $10-20k, there is a likely chance it will get seized. Just google "cash seized on way to buy car". Boats, planes, homes can be substituted for "car".
70 million names, addresses, emails, and other personal information data sets we're also stolen.
I'm not sure, but I don't think black boxes at credit card terminals would have solved that problem.
I think Target was data mining, and their database got hacked.
Pay no attention to the man behind the curtain with all your metadata.
This is where the "fusion centers" are supposed to come into play. The NSA is not law enforcement, but the FBI is (was) and so are other Federal and State agencies. As others have pointed out, the NSA should have seen this. They have taps in all of the backbone routers. Surely they have a decent algorithm that highlights data going to (Eastern Europe, China, etc). We know that they are analyzing plain text and decrypting SSL/TLS when plain text is not available.
They should absolutely have a map of legitimate financial networks, payment authorization data flows, etc. Anything outside of that known universe should be flagged and investigated. They are already doing this to combat money laundering, and to enforce the economic sanctions that the State Department and other Federal agencies enact.
The reality is that the NSA is not all about protecting our economy or predicting crime. They are there to uncover and crush any opposition to the government. Sure, they "cannot" catch these massive frauds, or pay attention to intelligence about terrorists planning on blowing up marathons. But trust you me, as soon as any of us start talking about armed insurrection or forcefully removing Senators, we will quickly figure out that the NSA has no problem acting upon what they want to act upon.
I'm not sure what you mean by "likely a chance."
It's certainly not likely that it'll get seized, but of course there's a chance -- it happens.
I did your Google search, and the first article I read referenced The New Yorker as its source. Reading it, I got:
I'm not a fan of broad asset seizures for drug busts, but it wasn't carrying cash that got these two in trouble. It was putting cash in the same container as their pot-smoking equipment. The officers allege the smell of drugs, claim the couple was smoking, but didn't find any pot in the bust.
The moral of the story is that police are certainly overzealous in the use of forfeiture items to line their pockets and supplement their budgets, but they're not just out seizing cash from people, and carrying cash in and of itself isn't "likely" to get it seized.
The NSA is an intelligence gathering agency; they are not law enforcement. They have no jurisdictional boundaries to their operations. As a U.S. government agency they are supposed to have to observe some niceties insofar as operating in the U.S. and targeting U.S. citizens what with the Constitution and all. Their failure to always do that is where they've gone wrong. And, as you've indicated, they've probably collected so much information that its getting in the way of useful intelligence analysis. Too much can be worse than not enough. The other fun fact is that they and their allied agencies in other countries seemed to get around some restrictions by letting the "foreigners" do the spying on the domestics for them and then exchanging what they collected.
Some of us don't consider the 4th Amendment to be a "nicety". That's what warrants are for.