Target Confirms Point-of-Sale Malware Was Used In Attack

wiredmikey writes "According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country. Steinfhafel told CNBC's Becky Quick in an interview that malware was used in attacks that compromised the company's point of sale registers. According to a report from Reuters, Target and Neiman Marcus may not be alone, as other popular U.S. retailers may have been breached during the busy the holiday shopping season. According sources who spoke to Reuters, attackers used RAM scraper, or Memory parser malware to steal sensitive data from Target and other retail victims. Visa issued alerts about attacks utilizing these types of malware in April 2013 and again in August 2013. Memory parser malware targets payment card data being processed 'in the clear' (unencrypted) in a system's random access memory (RAM). 'The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,' Visa explained in a security advisory."

Cheap architecture + short cuts = DOOM

[ackthpt]

There's any number of ways their POS system could have been done securely, but somewhere a decision must have been made on costs, in regard to paring them down, which resulted in something about as secure as an intranet of unprotected Windows XP computers exposed to the internet. No isolated network, no encryption, dependence upon commodity *cough* Windows *cough* operating system, etc.

I'm sure it all looked great, until this happened, then they get 200% more wise.

Seems everywhere I go these cheap systems are in place and the malware may already be chugging along for years without detection.

Re:Cheap architecture + short cuts = DOOM

[Stormy+Dragon]

Really, the card companies ought to be black boxing the readers, so that the POS system never has access to unencrypted transaction information to begin with. They really only need to know if the transaction was approved.

They already do this for small retailers (those little card reader/tape dispenser thingies sitting next to the register). They need to start forcing a similar system on the big retailers.

Re:Cheap architecture + short cuts = DOOM

[i.r.id10t]

I'm sure it all looked great, until this happened, then they get 200% more wise.

Experience is learning from mistakes you make

Wisdom is learning from the mistakes other people make

Re:Cheap architecture + short cuts = DOOM

[aviators99]

In 2015, EMV becomes required in the US. Those retailers who don't black box their card readers will be 100% liable for fraud at their point-of-sale (including stolen cards).

Re:Cheap architecture + short cuts = DOOM

I'm very surprised that Target thinks that every register in every store was infected. Just getting them all running the same malware is a major feat. And how did this POS malware get ahold of the 70 million "guest" records that weren't on the POS devices?

Re:Cheap architecture + short cuts = DOOM

[catfood]

That's because they're not paying the full costs of the damage they allow through poor security practices. If they reimbursed you and me a millions of other people for our time and effort to clean up their mess, it wouldn't be cheaper than solving the problem.

Re:Cheap architecture + short cuts = DOOM

[y86]

I'm sure it all looked great, until this happened, then they get 200% more wise.

Seems everywhere I go these cheap systems are in place and the malware may already be chugging along for years without detection.

I worked for a MAJOR retailer that was involved with a credit card crisis. The only reason the registers didn't get raped was the fact they ran linux. The actual POS servers ran Windows 2000 so that is what got cracked. Management was working hard to get away from these solid state linux computers for the "cost savings" in administration of the Windows platform. I can tell you that a multipurpose platform is not appropriate for a specialized task.

Re:Cheap architecture + short cuts = DOOM

[sunderland56]

This.

For the attack to happen the way Target says, there must be two MAJOR flaws in their network:

  - the POS machines must be accepting software updates from the network - to allow the attackers to download their firmware;

  - the POS machines must be able to connect to an arbitrary server not on the Target network - to allow the POS machines to transmit the collected data.

There is no valid reason for either of these. Need to update firmware? Have the IT guy at each store do it manually. And, install a decent firewall so that random machines inside your store can't talk to the outside world. (This will both prevent security breaches, *and* stop the employees in the photo department from surfing the web when they're supposed to be working).

Re:Cheap architecture + short cuts = DOOM

[DickBreath]

> the card companies ought to be black boxing the readers, so that the POS system never has access to unencrypted transaction information

You're on the right track. Keep going! Don't stop yet.

How about black boxing the cards?!!!

AKA, Smart Cards. The card itself has a complete computer running Java just like the SIM card in your GSM phone. The computer on the smart card is black boxed. That computer has a private certificate. When transactions are signed by the processor in the card itself, the certificate chain can be verified that the certificate within the smart card is genuine and signed the transaction. Attempting to learn the secret data within the smart card destroys the data, or at least is extremely expensive -- and would only compromise that card making the attack not economically attractive.

Re:Cheap architecture + short cuts = DOOM

[girlintraining]

In 2015, EMV becomes required in the US. Those retailers who don't black box their card readers will be 100% liable for fraud at their point-of-sale (including stolen cards).

Retailers are 100% liable today. And that's the problem!

EMV offers no additional protection whatsoever in a card present scenario unless the customer is required to enter a PIN. Which as you know.. convenience blah blah, speed blah, reasons. And nobody will. Even "einstein" level smart chips are useless without a PIN. What EMV was designed to do is reverse the precident that banks are responsible for bearing the costs of fraud unless the customer can be proven to have been negligent. All EMV is, is an attempt by the industry to dial things back to the way they were pre-2009 -- which was where they could claim the systems were perfect and infallible, therefore all liability is with the customer. It took an act of Congress, also known as the FSA, to override the courts and provide relief to the customers.It's taken a lot of work on the down-low getting key positions in the Senate filled by sympathetic Republicans, but behold! EMV: Now the courts and congress can be fully aligned in their desire to screw over the customer. It's motto might as well be Enter your PIN: Assume full liability.

Also... I don't know what you think "black box" means, but merely separating the card swiper from the cashier's hands is not "black box" in IT; and that's all EMV does. In IT, black box means that the entire interface is subsumed into an external device, not networked, and not user-programmable, and it provides a pass/fail signal or similar. Retail will never, ever, go for this. Your name and zip code is embedded in the card; that's valuable marketing data. They're not going to reduce transactions to what would essentially be anonymous... this is just common sense.

So I'm going to have to slap on the cliche "Citation Needed" onto your assertion. EMV has but one purpose -- to deprive consumers of any recourse to fraud in a card-present scenario, and to reduce liability to the banks in a CNP scenario as well. Fraud is a multi-billion dollar industry, and businesses like fixed costs. Everything about card transactions is a fixed cost to the bank, except for fraud. Make the customer responsible, and now everything is nice and orderly.

Re:Cheap architecture + short cuts = DOOM

[jader3rd]

Need to update firmware? Have the IT guy at each store do it manually.

Wait, what? That's exactly the opposite of how a large shop runs their operations. You create an image that you want applied to all machines that match a certain profile, and then let the machines do the updates at a preconfigured time.

Inside job?

[BringsApples]

All quotes from TFA:

"Smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target," Reuters reported, citing sources familiar with the attacks. "Those breaches have yet to come to light...

What the hell, why not? I had to cancel one of my family debit cards because of Target, do I now have to cancel my other one from an unnamed store?

After gaining access to a merchant’s network, attackers can install memory-parsing malware on register systems or backend processing servers to extract magnetic-stripe data as it moves through the through the payment process.

How are they gaining access to Target's network? Maybe it's from the ever-famous wireless network that's in all Target stores, and is prone to attacks, based purely on it's password policy (changes automatically once a month - or doesn't at all - I hear)

“The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,” Visa explained in a security advisory.

Again, how did they not only get into the system, but how'd they know the executable binary that was running? I mean, this isn't something that was done in one day, it had to be a collective goal for more than one person.

Visa first warned about these types of attacks targeting grocery merchants, but said merchant segment is vulnerable. According to Visa, these types memory parser malware attacks have been found only targeting Windows-based operating systems.

This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.

In March 2013, new malware was found targeting point-of-sale (POS) systems and ATMs and was behind the theft of payment card information from several US banks. Called "Dump Memory Grabber", the malware scans the memory of point-of-sale systems and ATMs looking for credit card data.

And how the shit does one gain access to an ATM's RAM?

All in all, I feel that this must have been an inside job of some kind. Not just a Target employee, but a Target employee(s) and someone who has access to ATMs inner-workings.

Re:Inside job?

[houstonbofh]

This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.

GEtting PCI compliance certification is not cheap, and you need it if you want integrated payment. So far, not a lot of open source POS systems are lining up to pay for certification...

Yes. Inside job without a doubt.

I worked on POS systems back in the late 90s - so, keep in mind my knowledge is not recent - no really, retailers move at a snails pace when it comes to technology.

First, this was an inside job. POS systems are too stupid to connect to the Internet.

Second, back in my day, the register was a very dumb PC (DOS with an extender and later moved to Windows - yeah, I know). Network security NEVER entered the picture because it is a closed system: POS->Store server->Local/Main office over leased lines or VPN on the internet. The servers were slow shit. All they need to do is record sales data.

In other words, IF the POS servers were in fact connected to the Internet so that crackers could get it, then someone really really really screwed up because there was absolutely no reasons to do so. Too slow.

And if these servers WERE connected to the Internet, all the crackers would see is unencrypted transaction data: CC #s, exp dates, amounts, what was bought, names, and all the other data collected by the POS computer. Yeah, wide open - because it was thought that no one outside the store would ever see it.

Retailing, in general, is a VERY competitive business with razor thin margins. Go to your finance website of choice and compare Walmart's,Target's,Sear's or whoever's operating margins with any other industry's company - Pharma is my favoriate comparison: try Bristol Meyers Sqibb (BMY). So, they take THE cheapest way out every time.

Re:Yes. Inside job without a doubt.

[mythosaz]

It's much, much more likely that hackers penetrated the network by other means, and then, once inside the network, compromised the POS systems -- which could then report back to the intermediary system, which could report out (or be repeatedly accessed from outside).

It's unlikely that the POS systems themselves reached out to the internet. That would have been noticed far, far too easily.

Re:Cash only economy

[alen]

let's see
in the 80's when soldiers would get paid in cash or real paper checks they would get robbed outside the army base gates on their way to the bank. direct deposit solved that issue

used to be that people kept cash at home. but if your home burns down or you are robbed or whatever, you lose all your money. with CC's you dispute charges and don't lose a dime

Got email from Target offering free credit monitor

[m00sh]

I got an e-mail from Target offering me free credit monitoring.

Yeah, they leaked my name, address, credit card number etc and now they want me to sign up for credit monitoring with them. Just input your social security number and answer a few questions ...

We have been hearing about how Target figures out if you're pregnant before your family does. They have been doing all sorts of data mining on people.

I suspect what is leaked is just not the name, address and credit card info on their subscribers. What if they have a profile on each of their customers that is also leaked? What if they compiled all sorts of data about their customers from various sources, like relationships, employment field, estimated incomes and other bits of info from the credit history? What if all that was leaked?

Re:use bitcoin

[DickBreath]

Maybe instead, there is something Target should NOT have used in their store POS systems.

http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000009407

Re:use bitcoin

They're trying to pull it. Here's the text:-

4-page Case Study
Posted: 3/17/2011
Rate This Evidence:
[Click on the stars to rate this case study] [Click on the stars to rate this case study] [Click on the stars to rate this case study] [Click on the stars to rate this case study] [Click on the stars to rate this case study]
Target Corporation Large Retailer Relies on a Virtual Solution to Deliver Optimal Shopping Experience

With its attractive stores offering trendy merchandise at affordable prices, Target changed how consumers think about discount shopping. To help Target deliver on its “Expect More. Pay Less.” brand promise, Target chooses reliable, scalable, and cost-effective technology. That’s why the company is deploying Windows Server 2008 Datacenter and its Hyper-V virtualization technology to retire 8,650 servers and implement a two-servers-per-store policy. By 2012, Target’s entire store server infrastructure will be running on Hyper-V, which will support a total of 15,000 virtual machines running mission-critical applications. Target also deployed Microsoft System Center data center solutions to manage more than 300,000 endpoints across its retail network. With its Microsoft Virtualization solution, the company will save millions of dollars in hardware, electrical, and maintenance costs.
Situation
The first Target store opened in 1962 in the Minneapolis suburb of Roseville, Minnesota, with a focus on convenient shopping at competitive discount prices. Today, Target remains committed to providing guests with the right merchandise mix—from everyday commodities and grocery offerings to trend-right home and apparel lines—at outstanding value. Target continually reinvents its stores, including layout, presentation, and merchandise assortment, to create an engaging shopping experience.

*
* It’s not hyperbole to suggest that most of our guest shopping experiences are affected by our Microsoft Virtualization solution. That’s a good thing for Target, and it’s a good thing for our guests. *

Brad Thompson
Director, Infrastructure Engineering, Target
*
To continue offering merchandise at appealing prices, Target looks for ways to control its operating costs. Consequently, the company’s IT department, called Target Technology Services, chooses technology that’s cost-effective and delivers real business value. “Target Technology Services is considered a strategic enabler for just about everything we do in retail strategy,” says Brad Thompson, Director of Infrastructure Engineering at Target. “That said, we are still a cost center, and so we are always looking to drive down costs where possible, as long as we meet the requirements of our guests, our application development teams, and our business partners.“

Amy Reilly, Spokesperson for Target, points out that technology also underlies the customer experience at each Target store: “When our guests come into our stores, they have a certain expectation of their experience. They expect clean, wide aisles and to find what they need and check out quickly because they lead busy lives. So reliability in our technology, including our POS [point-of-sale] and replenishment applications, is very important to helping us deliver on our ‘Expect More. Pay Less.’ brand promise.”
Distributed IT Infrastructure
Target has a highly distributed IT infrastructure with more than 300,000 endpoints, including servers, computers, POS registers, kiosks, and mobile devices dispersed among its 1,755 retail stores. Except for centralized authentication, domain name resolution, and endpoint monitoring services, each retail store functions as an autonomous unit. “Every one of our stores has its own control room, with its own network and compute capacity inside the store,” says Thompson. “So if you think of our infrastructure across all those stores, we have to get very crea

Re:PCI Is Cheap And STUPID!

[houstonbofh]

False! It's dirt cheap, just a couple hundred dollars. You filled out an application, paid a fee, and got an enhanced port scan.

That is PCI compliance for a network, not an application. If you have an application that allows credit card swipes, and goes to a clearing house, it needs to be certified as well, and that ain't cheap.

How exactly does your shiny new(annually renewed) PCI DSS compliance accreditation protect ANYTHING? PCI compliance testing does nothing beyond proving that you at least installed a consumer grade router/firewall between your card reader, card data storage, and the internet.

It also shows that you exercised due diligence in securing your network, and prevents you from being sued for gross negligence. You don't need real security if you can show that you had some and therefore can't be sued.