Target Credit Card Data Was Sent To a Server In Russia

angry tapir writes "The stolen credit card numbers of millions of Target shoppers took an international trip — to Russia. A peek inside the malicious software that infected Target's POS (point-of-sale) terminals is revealing more detail about the methods of the attackers as security researchers investigate one of the most devastating data breaches in history. Findings from two security companies show the attackers breached Target's network and stayed undetected for more than two weeks. Over two weeks, the malware collected 11GB of data from Target's POS terminals. The data was first quietly moved to another server on Target's network and then transmitted in chunks to a U.S.-based server that the attackers had hijacked. Logs from that compromised server show the data was moved again to a server based in Russia starting on Dec. 2." A related article at Wired points out that Target suffered a similar breach in 2005, and apparently didn't learn its lesson.

POS

[tompatman]

Target's terminals are aptly named.

Re: POS

Considering that the terminals in question were running un-patched, net booted XP SP2 WinPE instances with an old Java 4 version, the fact that there were attack vectors should be a long ways from shocking.

Re: POS

Target doesn't really care. They had $100 million in cyber security insurance so most of the cost of this will be covered. AFA the public not trusting Target, well, it will pass quickly because the masses have a short attention span.

Re: POS

Do you think their insurance rates might, just might, go up? Do you think their reputation might, just might, suffer a bit? Yeah, they care.

Re: POS

[ChromaticDragon]

I am curious regarding your information. Got source?

Last I'd heard, the expected sum of lawsuits, settlements, fines, etc. would be WELL over $100mil (as in several times that). Apparently, for reference, a similar breach, TJ Maxx, ended up being closer to $200mil.

Furthermore, it seems Target was self-insured for this. So it isn't quite correct to think they will glibly had this bill to an insurer - they ARE their own insurer.

Re: POS

[Megane]

The thing that bugs me most is that they were on a network that was routed to the entire internet. Yeah, I don't think a POS terminal needs to be able to check Google or Facebook, much less "chernyykhod.ru". Even simply putting them on a VLAN with a very restrictive firewall to the public internet would have avoided the problem. And a RFC-1918 network doesn't count if it's behind a NAT router, since these packets went outbound from the POS. Belt and suspenders.

Re: POS

[gl4ss]

there shouldn't be insurance for breaking the rules.

the insurance company should just fuck 'em at this point for not keeping up their part of the deal - there's certain ways of acting that was expected from target - and well, if they happen this often then they should charge them 15 million per year for the insurance at least.

oh and you know, the fucking big cc companies should just treat them the same as any smaller business, but they don't. if some mom'n'pop had similar happening they wouldn't be charging any credit cards anytime soon.

Re: POS

Here's one

Re: POS

They might care, but I can bet their solution will be more bureaucracy rather than better technology. There are likely IT people within the company that see the problems and know how to fix them but they will be ignored. CxO types hate those annoying IT people that are always complaining about security. They will bring in a solution sold by a slick sales person at a major company.

Re: POS

They do when your POS system is hosted for you by some other company in a well known city, and the only way to reach them is via throwing an IPSEC Tunnel up over a public internet connection. However, that isn't to say that Target couldn't have put a firewall rule or two on those ASAs that they have installed at all of their sites to facilitate said L2L VPN.

Re: POS

[egcagrac0]

Last I'd heard, the expected sum of lawsuits, settlements, fines, etc. would be WELL over $100mil (as in several times that). Apparently, for reference, a similar breach, TJ Maxx, ended up being closer to $200mil.

While $200 million is a lot of money to a lot of people, it's less than 10% of Target's typical annual profit. Some financial summaries

So yes, it will sting a bit, but it's not going to put them under.

Re: POS

[jythie]

It is also possible that their underwriters could claim that Target did not take due diligence in protecting its network and thus a full payout is not warranted. Insurance companies do not like being treated like a blank check to not take precautions.

Re:POS

[JoeMerchant]

In Soviet Russia: Credit Cards -> Target -> YOU.

Seriously, though, this means that the perps were able to setup a relay station in Russia. I would hope that a person/organization capable of this kind of operation would have the resources/foresight to relay data through several foreign countries.

How embarrassing would it be for the Target data to have been heisted straight to young Matthew Broderick's bedroom? Even if something like that did happen, I'd expect the circulated news stories to tell tales of a massive, sophisticated, international syndicate of PhD hackers, who have now been arrested and jailed, or terminated by drone strike if they were hiding in uncooperative countries. Which story inspires more confidence in the safety of our financial systems? That is likely the story that will be told.

Re: POS

[NatasRevol]

And on the plus side, it will hurt the CxO types (less bonuses & dividends) who would have blocked the decision to upgrade to a better, but more expensive, POS.

Re:POS

[LifesABeach]

Ho! So if my Tickel-Me-Elmo needs to be returned; Target is saying, "You have to go to our Moscow Store?"

Re: POS

[mythosaz]

Doesn't appear that way to me..

The actual report on the software installed on the agent makes it pretty clear that the information was being gathered locally and forwarded internally to a collection point before being sent to Russia, like I suggested in previous threads:

http://krebsonsecurity.com/wp-content/uploads/2014/01/POSWDS-ThreatExpert-Report.pdf

The point of sale machines try to make a connection to \\10.116.240.31\c$\WINDOWS\twain_32 -- an obvious store-and-forward point on the network for exporting the card data otuside of Target. Hackers compromised this box, likely named ttcopscli3acs, since the credentials passed to 10.116.240.31 were ttcopscli3acs\Best1_user with a password of BackupU$r.

It also made port 80 requests to 10.116.240.31 -- the server the hackers "owned" inside of Target.

The rest of the breakdown only details the registry changes that happen when you install a service -- which was the install vector. There isn't a discussion of how the skimming/scanning/card-stealing software was distributed, but...

IT WAS OBVIOUS THEY WERE ALREADY INSIDE THE NETWORK - they (p)owned servers - so it's a reasonable guess that they just deployed the software without needing any hole on the workstations.

The twain_32 folder is one of those things that casual inspection would overlook - and obviously did.

Re: POS

[mythosaz]

....one obvious conclusion jumped to is that the test box for ThreatExpert might also just be called "ttcopscli3acs" but the means by which this works (fowards data to an internal box) remains the same.

Re: POS

[chipperdog]

I usually don't post comments asking people with moderator points to mod a comment up, but mod up this parent....

There are likely IT people within the company that see the problems and know how to fix them but they will be ignored. CxO types hate those annoying IT people that are always complaining about security. They will bring in a solution sold by a slick sales person at a major company.

Is likely the most accurate statement I've seen in a while. In my 20+ years in the tech/IT/OT field, what a salesman is selling to (non-tech) management seems to trump the feedback that is received from tech departments. Case in point, just this week there is a copier/printer vendor that insists on installing a software agent that is suppose to report back meter readings and troubleshooting info to them (and "managing our printing costs"), but looking into it, it has capability of scanning entire network and reporting on every device it sees. As lead network and systems administrator, I say no way will I allowed an externally controlled and reporting network scanner on any of our secure networks - and I'm being framed as being uncooperative, not considering my report that the vendor solution will break many layers of security,...I may have to make sure the agent is disallowed in group policy, in case it can be installed in user space without elevated rights on the machines (wouldn't surprise me that they'll just try installing it on a user's workstation)...

Re: POS

It is also possible that their underwriters could claim that Target did not take due diligence in protecting its network and thus a full payout is not warranted. Insurance companies do not like being treated like a blank check to not take precautions.

That's not what underwriters do. Underwriters would be the ones responsible for not researching the security measures Target had in place when they estimated the premiums that should be charged.

Re: POS

[LWATCDR]

Welcome to the world of embedded Windows. The cost of updating all of those systems would be huge not to mention testing every system with the new OS. What I do not get is if they are running Java why are they running Windows? Why not Linux?

Re: POS

[mythosaz]

While I'm tacking stuff onto this, I should also say that it doesn't appear as though ThreatExpert installed this sniffer with any sort of parameters - meaning the default behavior for this executable contained the 10.116.240.31 machine expected the c$ share and twain_32 folder to exist.

Although the "kit" form of this executable may include space for selecting a new drop-off point, or the executable they examined might just have a wrapper on it that passes shares and credentials to the real executable, it was designed just for someone who already owned 10.116.240.31.

It's a pretty lazy threat analysis. They run it through an application sequencer, noted the keys it captured and called it "analyzed." I know they'll go further, but why not tell their clients more about the process - does it spawn other processes, handles, hooks, threads, etc?

Re: POS

You're assuming that it is Target's CxO staff that made said decision and not the CxO staff of said vendor who supplied the POS system to them in the first place, or the Sales Staff at the Vendor who secured the contract based on "you can keep your existing hardware and we will make our software run on it", not knowing that said stations had 128MB of Memory, no Hard Disk, and needs to run an XP-like OS (XP WinPE) with Java and the POS Client that ties up 47MB on it's own.

I bet that upgrading a few thousand machines to 256MB of memory looks pretty cheap now, doesn't it?

Re: POS

[tysonedwards]

Many of the common Point-of-Sale hardware does not have Linux drivers.

Things like the multiple Barcode Scanners, Thermal Printers, Cash Drawers, Magcard Readers, etc. are typically only provided with Windows drivers.
Like it or not, an organization like Target *NEEDS* warranty support for when something fails, and saying "we use linux" doesn't really fly.

Re: POS

[objectdisoriented]

I'm certain Target was observing "best practices" as written about in trade rags, and probably had numerous security, PCI, and HIPPA audits from outside "experts" on a routine basis.

That will probably satisfy the card processing industry and insurers. Clearly it satisfied the director and C-level executives.

OTOH, they are pretty clueless about how to secure an IT infrastructure. Practices likely followed typical industry norms: minimum length passwords containing upper/lower case, a number and a special character that expire every 30 days, a change control process, a policy to review all 3TB of daily log files for anomalies, division of responsibilities, encrypting all sensitive data, and related meaningless drivel meeting the letter of standards such as PCI compliance.

In the end, you can't fix clueless.

Re: POS

[sjames]

That's a real knee slapper!

The performance bonuses will be paid out on time and at maximum value. Employee hours will be cut and managers will make speeches about how they all have to pull together and do more with less (except the CxOs of course) to get through the tough times.

Re: POS

[LWATCDR]

"Things like the multiple Barcode Scanners, Thermal Printers, Cash Drawers, Magcard Readers, etc. are typically only provided with Windows drivers."

I wonder if Target or Walmart said to the makers of those,"We need Linux drivers" if that would change? Magcard readers should not be much of an issue since they are probably USB or serial devices. A cash drawer should be an easy interface as well. The printer and Barcode scanners are the only iffy one and for all I know the Barcode scanners are USB HID devices.
Things are very different when it comes to things like drivers when Target or WalMart ask vs the average developer.

in soviet russia

[Joe_Dragon]

In Soviet Russia We Target You!

Re:in soviet russia

[bradgoodman]

I only checked the posts here to read the impending "In Soviet Russia..." jokes.

Re:in soviet russia

I'm convinced that's the only reason Slashdot has any stories pertaining to Russia.

That being said, Joe Dragon's joke was great.

Quietly moved ???

[amalcolm]

Does moving data usually make a noise?

Re:Quietly moved ???

I've heard an Ethernet card make a high pitched whining noise under load.

Re:Quietly moved ???

Does moving data usually make a noise?

It does when you're drunk no matter how quiet you try to be.

Re:Quietly moved ???

[GameboyRMH]

Then there are hard drive noises, tape noises, CD noises...

So I'd say moving data usually makes a noise. Not always, but usually.

Re:Quietly moved ???

[alen]

any IDS worth a damn should be flashing red lights any time a lot of traffic is sent to russia, china and anywhere else east of the iron curtain

Re:Quietly moved ???

any IDS worth a damn should be flashing red lights any time a lot of traffic is sent to America

Get with the times.

Re:Quietly moved ???

[ruir]

I think they lately invented something obscure called ethernet, or in more layman terms, Internet, that apparently doesn't make mechanical noises.

Re:Quietly moved ???

[ruir]

Any connection that doesnt need an Internet presence, or doesnt have DNS sites should cut Chinas IP address space. Less SPAM and specially less cyber attacks. Even when they are not really targeted, they have simply the bigger concentration of all of old unpatched machines, and their mentally of if it works dont touch it, instead of more consumerist views of USA, it is slow, lets bin it and buy a new one, doesnt help too into being a hive of zombie machines.

Re:Quietly moved ???

[GameboyRMH]

Most of the servers that serve content over the Internet use hard drives ;-)

Re:Quietly moved ???

[geogob]

Of course, this is a metaphor, saying they moved the data in a manner not to be detected, although I suspect that is not quite accurate. Most likely they did make a lot of noise while moving the data, but no one listened.

Re:Quietly moved ???

[BosstonesOwn]

Most IDS systems should trigger alerts and close the route when sending massive amounts of data ANYWHERE !

All my gear is set up that if your sending a pack over 5 megs and you didn't get auth from secops and the mac cleared the route is shut down. Yes it's draconian but it prevents a lot of network abuse and has left me with 2 300 meg circuits instead of 2 gig circuits.

Re:Quietly moved ???

Only if it's in a forest and no one is around to hear.

Re:Quietly moved ???

[Kvasio]

you must be new here...
Have you ever picked up the phone to hear modem transmission? If was LOUD!

It could have been worse...

[bogaboga]

If the attackers had left a script behind to effectively re-partition or even reformat the compromised servers' hard-drives.

But what troubles me the most is the common American citizen's perception that we (as Americans), lie at the epitome of technology that works; after all, we have the "biggest and greatest" technology companies, right?

Re: It could have been worse...

Considering that all of the servers in question run on vSphere with NFS LUNs mapped against a NetApp, snapshotted hourly and off-sited nightly, the wiping of servers while painful wouldn't be "that bad".

Also, the server VMs RHEL, updated regularly while the POS Terminals are Netbooted WinPE with a very old Java version.

Re:It could have been worse...

When other companies use the NSA back entrances it is called hacking. When NSA use it its called FREEDOM fighting.

Re: It could have been worse...

Windows was involved in a massive security breach, huh? You don't say!

Too bad they didn't use RHEL for the point of sale system too. Then they could add a PaX/grsec kernel, SELinux, compile everything with canaries, and lots of other good ideas that should be standard fucking practice.

Re:It could have been worse...

But what troubles me the most is the common American citizen's perception that we (as Americans), lie at the epitome of technology that works; after all, we have the "biggest and greatest" technology companies, right?

Who are some of these common American citizens? The figment of someone's imagination.

Re:It could have been worse...

You know what's even funnier?
Americans used to laugh at Soviet propaganda about how great "Mother Russia" was. And now they laugh at Chinese and North Korean propaganda.

Long after America crumbles into decay, Americans will still be laughing at the smug superiority of other countries and how easily the sheeple in those countries are duped.

Re:It could have been worse...

When other companies use the NSA back entrances it is called hacking. When NSA use it its called FREEDOM fighting.

Exactly, the NSA is fighting against freedom. What else would they call it?

Re:It could have been worse...

[objectdisoriented]

we have the "biggest and greatest" technology companies, right?

Target is a low-price, high-value retail store, not a technology company. In other words, a low cost provider of stuff for people's homes.

I believe they have as many, if not more, IT personnel in their India data centers as they have at their headquarters.

An exemplar of a US technology company they are not, no matter how much they spend on IT.

Ooo those dirty russians.

has there ever been anything but criminal activity coming out of there?

Color me gobsmacked!

Former Eastern Bloc citizens involved in credit card fraud? Hold the presses! Make way for a new headline!

In all seriousness, some of the brightest programmers I have met over the decades have been from Eastern Europe. The combination of general poverty, lack of access to modern hardware, and (?) vodka forces them to learn about the guts of the hardware in order to make do - much like the original computer hobbyist community in the U.S.

What will be interesting to watch is Putin's reaction if this highly publicized crime originated in Russia. I am sure with uncertainty about Sochi in the wings, he will bring down an - excuse the obvious pun - iron sledgehammer on the responsible parties.

Is that really..

Where the data stopped moving? Maybe. If their payload didn't self-destruct then they might have made an additional mistake and used too few hops during the getaway.

Re:and then moved to a server in China

and then moved to Iran by North Korean hackers, I mean cybercriminals, and then used to fund terrorism by the Syrian govern- I mean regime.

Re:and then moved to a server in China

Right? Gotta keep that anti-Chinese bias alive somehow.

Yes you are so correct! The People's Republic of China is governed by some of the most honest, kindhearted, honorable people in the world. Who could possibly have a bias against them?!

I mean they're so very thoughtful, when they shoot someone for having the wrong political opinion, they even send the family a bill for the bullet! It's so nice for the family members not to be forgotten during their time of grieving. Considerate! And the glorious sweatshops! What child wouldn't want to work 12hrs a day in there!

Yessir, anyone who doesn't like them is obviously biased.

Dissapointed Senators

They hoped China could be blamed again.

And the NSA Missed All Of This?

[littlewink]

Where's our protection from Russian financial terrorists? Were the NSA employees in charge distracted by their Starbucks carmel macchiatos at the time this was coming down?

A clear instance of international crime/terrorism and NSA was asleep at the wheel.

Re:And the NSA Missed All Of This?

[ruir]

NSA is too busy reading their ex emails...

Re:And the NSA Missed All Of This?

I get what your saying but you have the Chinese also "attacking" the US for secrets. I guess the tragic comedy in this, is this quote.

""A related article at Wired points out that Target suffered a similar breach in 2005, and apparently didn't learn its lesson.""

It appears nether the government or companies learn there lessons, government for being pathetically stupid enough to run infrastructure, and classified information onto open networks. Instead of closed loops...

And companies for lacking common sense, your a million/billion dollar company how much could it possible cost to hire a couple of well known security research groups to thoroughly testing.

And the blame comes down to politicians, washington, and the federal agencies that have done nothing to pass laws and regulations to heavily fine any company for not checking with security researchers to limit [the fact remains you cannot eliminate the possibility/probability] any holes that could be accessed. Or even a system that detects when data is being breached.

Re:And the NSA Missed All Of This?

[swb]

I keep asking myself why the NSA isn't more involved in large-scale financial fraud considering their ample abilities to sample international data networks and their likely considerable focus on Russia and the involvement of shady financial transactions in funding terrorism.

In the case of Russia specifically, I would expect the NSA to be heavily involved in monitoring Russian hackers given the shadowy nexus of hackers, organized crime, ex-KGB agents, and the current FSB.

Re:And the NSA Missed All Of This?

[Vitriol+Angst]

Dang it -- you said my comment first!

The only thing I would add is; I've never thought the NSA and agencies like them are interested in the Security of the USA for the people of the USA -- that's just the PR cover story.

The NSA needs all that data, and the CIA needs Facebook, and the TSA has to know everything about Joe Worker but totally ignores who gets on a Leer jet because this is all about the USA Police State. We are clearly on the path from a First Tier Developed Nation to a 2nd Tier and controlling people and political opponents is crucial to Neo Feudalism.

Of course, I could back this opinion up, but it's not like anyone has a book that says; "Secret Diabolical Plans." It's just you get the general notion when a bank can launder drug money and nothing happens, and then a person can smoke some MJ and go to a corporate prison for 20 years that -- this aint the land for you and me.

Re:And the NSA Missed All Of This?

In the case of America specifically, I would expect the FSB to be heavily involved in monitoring American hackers given the shadowy nexus of hackers, organized crime, ex-CIA agents, and the current CIA.

Re:And the NSA Missed All Of This?

[msmonroe]

NSA is too busy reading their ex emails...

Ha, Love it!

Re:And the NSA Missed All Of This?

This type of crime doesn't endanger the rich, powerful & well-connected -- or those who run the NSA. Only the little people. So the NSA doesn't care. Despite whatever pretense of 'national security' they bleat on about.

Follow the money (in this case, the money flowing to the NSA).

Re:And the NSA Missed All Of This?

[Dr.Syshalt]

I'm wondering who costs American taxpayers more, actually - NSA or Russian hackers.
It's probably all about money - involving NSA in such operations would be a net loss regardless of the result. I'm too lazy now to check the numbers, so it's just a guess.

So thats who it was

It was Snowden

PCI compliance?

[NynexNinja]

Target suffered similar data theft in 2005, and now again in 2013. By storing cardholder information, CVV's and (worst) PIN's in the clear, they obviously are not PCI DSS compliant. If this happened to any other retailer, Visa would revoke their PCI compliance status. If nothing happens regarding their PCI compliance status, what does it say about PCI compliance in general? PCI compliance is nothing but a joke, not to be taken seriously. Why even go through the work and trouble to get PCI DSS certified if companies like Target can flout the rules and get away without any penalties.

Re:PCI compliance?

Because you don't have a choice if you want to stay in business.

Most of us aren't big enough to tell the CC companies to go fuck themselves, and customers kind of require CC processing for online purchases. Many people have learned to stay the fuck away from things like paypal by this point. A business that can't take credit cards is a business about to cease to exist, or shouldn't really be called a business in the first place.

--BitStream

Re:PCI compliance?

Well, a card not working at target would be a major disadvantage and something other card manufacturers can even advertise with that theirs does.

Re:PCI compliance?

[alen]

it's like SOX and HIPAA
you do a lot of work "certifying' that things work according to someone's checklist and repeat next year

they are nothing more than jobs programs for auditors and a get out of jail free card for everyone involved

Re:PCI compliance?

Not being PCI compliant only means you pay a 0.5% surcharge directly to Visa on all transactions until you come back into compliance. Visa WANTS you to be non-compliant, because they make BILLIONS from it.

Re:PCI compliance?

That the kind of situation who shout for : "Computer Engineer Order to protect the public, like all other real professions have".

Re:PCI compliance?

Bingo. And the company pays the auditors for the annual review. The auditor is motivated to give a good rating so they are hired back next year.

Re:PCI compliance?

[cdrudge]

By storing cardholder information, CVV's and (worst) PIN's in the clear, they obviously are not PCI DSS compliant

If reports are to believed, the malicious programs grabbed the information from memory on the infected POS machines. This wasn't a database that was dumped that had all the information in nice organized columns all in the clear.

While PCI compliance does call for not storing, encrypting, and/or otherwise taking certain precautions with certain data, I don't believe end to end encryption between the mag stripe read head and the payment processor. It's allowed to be decrypted somewhere and this malware was designed to exploit when it was available decrypted.

Re:PCI compliance?

[Megane]

Having had to write code to talk to PIN pads back in the late '90s, they still should never have had the unencrypted PINs, even with access to memory in a POS terminal. The PIN pad should be epoxy potted, with have the encryption key (and maybe even its entire firmware) injected into battery-backed RAM. The only thing leaving that PIN pad should be an encrypted blob based on the PIN. I even vaguely recall having to provide the card number to the PIN pad, making it a sort of salt to the encryption process. And the credit card clearinghouse is the only place with the other half of the key.

Or at least that's how they did it in the late '90s, before everything became a PC running Win-duh. And that's presumably why you still enter your PIN on a little device in the corner of the checkout area with its own keypad and card reader. It's not easy to put a RAM-sniffer trojan into a keypad running on an embedded microprocessor.

For those Europeans out there, the reason you have chip-and-PIN now (from what I've been able to tell) was that your PINs weren't encrypted end-to-end from potted keypad to clearinghouse, making it much easier to intercept them. So they added the chip to help with that. Also, in the US we typically only use PINs for debit, not for regular credit cards. I think the track-2 data is used by the credit card companies to ensure that someone didn't make a clone card from the account number alone, and the CVV is used for telephone transactions. Both require access to the original card to create a forged copy. (Access like, say, a card skimmer. Or human eyes.) Most gas stations also require you to enter your zip code when you pay at the pump as a further fail-safe against a stolen or forged card. (I learned that the hard way the time I entered 55555, and had to call my credit card company to get it straightened out.)

Re:PCI compliance?

Target suffered similar data theft in 2005, and now again in 2013. By storing cardholder information, CVV's and (worst) PIN's in the clear, they obviously are not PCI DSS compliant. If this happened to any other retailer, Visa would revoke their PCI compliance status. If nothing happens regarding their PCI compliance status, what does it say about PCI compliance in general? PCI compliance is nothing but a joke, not to be taken seriously. Why even go through the work and trouble to get PCI DSS certified if companies like Target can flout the rules and get away without any penalties.

Forensic investigator / pin auditor / pci auditor here

1: Correct, PCI compliance is mostly taken as a long list of check boxes for management. Do we have an IDS? Yes. Does anyone actually respond to events? No. Do we have FIM installed on our POS terminals? Yes. Does anyone actually care to respond or review the events? No. etc. etc. This is especially true in low margin and non-security centric markets (retail, hospitality, etc). Blah, blah C*O cynicism.

2. Please get your facts straight. Target was not storing CVV's or PINs in the clear. CVV2 (3 digit code on the back, used for card not present transactions) data was not stolen in the breach. CVV data was. This data is stored on the magstripe of the card and is considered part of track data. It was not "stored" in the clear. PIN BLOCK data was stolen in the incident but not actual PINs. There is a very big distinction here. Without the key, pinblocks are worthless and each pinblock is encrypted per transaction. PCI DSS may be somewhat of a joke but PIN encryption is actually rather strong. The only asterisk here is if the intruders were able to access the keys which are stored inside the HSM. These systems are designed to have very strong physical and logical security. The system will not be accessible unless two separate keys are inserted into the physical box, etc etc.

Pinblock encryption was designed to be sturdy enough to be exposed and not be considered at-risk. That's the entire point. The whole idea behind encryption is that your encrypted message could be seen by a third party but the plain text version should not be reversable. It doesn't matter if there are only ~9999 different types of PINs. The encryption key is different for every transaction.

-----------

Back in the day, before the sensitive data was encrypted prior to transmission, malware used to target it at the network level. The data in this breach was scraped from memory at the terminal level. I can't tell you how many ignorant comments I've read where some uninformed individual says "WHY IS TARGET STORING THIS DATA." They are not and most companies that experience breaches do not store this data either. The malware scraped it when it is stored temporarily in memory. This is how 99% of the malware works nowadays (and for the past few years) because attackers know that the data is temporarily stored in plain text in the memory. It is then encrypted for transmission to the processor.

http://www.computerworld.com.au/article/536176/target_credit_card_data_sent_server_russia/

With regard to the exposure of the pinblocks, the data was just sitting in memory next to the track data and happened to be grabbed by the scraper during its operation.

Won't shop there again, but...

[DruidWheresMyCar]

Did anyone else get an email from them offering free credit monitoring?

Re:Won't shop there again, but...

[jandrese]

Yeah, but it's layered on top of several other free credit monitoring services I apparently have now from breakins at various companies. I'll never have to pay for credit monitoring ever. As usual Target didn't tell me WHO is doing the monitoring, or how they might contact me if something suspicious happens in my name. I expect this to be just as useful as all of the other credit monitoring services I apparently have.

Re:Won't shop there again, but...

[omnichad]

Yeah - it was hilarious. It had a link to a sign up page that warned:

Be wary of calls or email scams that may appear to offer protection but are really trying to get personal information from you. Please navigate directly to websites rather than clicking on links within emails.

Straight from an email that appeared to offer protection and asked for personal information. At least the link showed the URL in plain text so you could copy/paste or retype it easily.

Crime backfiring: card numbers are worthless.

What's happening is that victims are canceling those cards and everyone is on the lookout for. So, when the Russian hackers try to sell or use them, they're not going to work.

Their booty is worthless.

Re:Crime backfiring: card numbers are worthless.

[stoploss]

What's happening is that victims are canceling those cards and everyone is on the lookout for. So, when the Russian hackers try to sell or use them, they're not going to work.

Their booty is worthless.

Who's to say this wasn't the goal? Perhaps the actual goal was to adversely affect Target or the US card processing regime.

Where would one fence eleventy billion credit card numbers, anyway? It's not like this a tenable amount, considering the depth of market for stolen credit card numbers.

Re:Crime backfiring: card numbers are worthless.

[jandrese]

They spent months selling them already. The guys who did this have already made out like bandits.

Re:Crime backfiring: card numbers are worthless.

Yeah - it's possible that the goal was to steal the card info, short-sell Target shares and then make the information public, along with selling the card information. Win-win.

You wouldn't be able to short-sell a ton, though. I assume that's one of the first places an investigator would look. Maybe 10,000 - 100,000 shares at most.

Re:Crime backfiring: card numbers are worthless.

[plover]

They spent months selling them already. The guys who did this have already made out like bandits.

Perhaps they made out like bandits because they are bandits?

I don't get it

[cripkd]

Do they not care enough to delete the logs or are the logs on another machine somewhere above in the hierarchy?

Re:I don't get it

[capedgirardeau]

Could very well be router or firewall logs that saw the packets as they passed out of wherever the compromised server was.

Re:I don't get it

Maybe they asked the NSA where the data went. They should know.

Re:I don't get it

[BosstonesOwn]

There is supposed to be multiple log servers, and they get backed up.

So what happens is the logs are kept in the machines as well as shipped to a log server.. Depends on how they went about this.... but everything should be logging to multiple places for just this reason, hackers have automated log scrubbers that they can hide as a binary like say cd. the cd bin will get executed, but after the hook runs and scrubs the logs.

Obviuos question - Who else is infected?

[amigabill]

OK, so there's a lot of talk about this situation at Target. At least that one is discovered and allegedly fixed. Do these pranksters only target one store chain? Was this the easiest one to get into, and they are happy with that for now? Or are other stores similarly compromised, but either have not gone public, or do not know it yet?

Traget outsourced IT operatations

[Joe_Dragon]

Traget outsourced IT operatations and field work is subbed out as well.

So maybe the IT people within the company that see the problems and may know how to fix them are so far apart form the people who work that team that they can't get stuff down or things are setup up that way so it's easier to sub work out vs locking stuff down and giving each Subcontractor there own logins / private email / info on the system.

Using common logins / just giving the info contractors who then giving that info out to the subcontracts is easier and makes it easier to change firms on each level. But then that info may not get changes / ends in the hands of non tech people who may not give it the security it needs.

Re:Traget outsourced IT operatations

[chipperdog]

Not everything is outsourced at Target, they always have listings of Dice for Technology positions http://www.dice.com/jobsearch/company/DiceId_10111064/Target+Corporation

too obvious

[Max_W]

To Russia, of course. Where else? The end of an investigation. Very convenient.

Reality is usually more complicated.

It largely doesn't matter

[Kardos]

I'm not going to defend Target for being embarrassingly sloppy, however, no matter how you look at it, it largely doesn't matter:

a) It's a business decision to invest in cyber-insurance or cyber-security, they picked insurance. As technical people, we like technical solutions, but maybe insurance was the right choice.

b) If a consumer gets hit by a fraudulent cc charge, they don't eat the charge. They call their cc issuer and the issuer eats the charge. That is in part what your double digit interest rate is paying for.

c) Everyone gets credit monitoring. If the credit monitoring is not snake oil, then it'll catch cc fraud that's not a direct result of this Target screw up. This may actually be a benefit. People who were dimly aware of how the cc system works will become informed. This is probably a net positive here.

d) Awareness is raised about POS security; other companies who are running the similarly secured systems may be motivated to fix it. Another net positive.

The only people getting screwed are Target (for operating a shit system) and/or the cc issuers (for permitting Target to run a shit system).

Re:It largely doesn't matter

[houghi]

and/or the cc issuers (for permitting Target to run a shit system).

The company that issues the card is nota always the same company that handles the payment at the store (or via Internet)

e.g. In Belgium the machines in the stores are most likely from AtosWorline, but the card can, but must not be from them. e.g. I have a card from Beobank and they are the card issuer who work under license of Visa and Mastercard. They would take the loss.

Re:It largely doesn't matter

[Solandri]

b) If a consumer gets hit by a fraudulent cc charge, they don't eat the charge. They call their cc issuer and the issuer eats the charge. That is in part what your double digit interest rate is paying for.

Fraudulent credit card charges are paid for by the merchant who sold the goods to the fraudster. When you contest a charge, the credit card issuer does a chargeback and reverses the charges on the merchant who made that transaction. The merchant then has to try to prove the charge is legit (e.g. produce a signed receipt whose signature matches the cardholder's), or he is out both the merchandise and the money. The issuer pays nothing for fraud, except for small transactions where they may decide to credit the cardholder without reversing the charges on the merchant (the charge is deemed too small and not worth the expense of investigating).

Your double-digit interest rate pays for other credit card holders who default on their bills. And to line the pockets of the credit card issuer.

Re:It largely doesn't matter

[Kardos]

Ah fair enough, didn't realise it was the merchant got stiffed. But the main point still stands: the consumer doesn't eat the fraud.

Re:It largely doesn't matter

[ediron2]

Debit cardholders suffer, due to fewer protections legislated for cardholders. Credit cardholders do suffer lost time to clean up, or lost income if they get stuck with charges they either don't notice or are unable to clear. While apocryphal: my having a card stolen and abused ate about a day of my time, plus days of additional little inconveniences. Competitors get stuck with costs for compliance that Target dodged, which is anticompetitive.

And yet you're right: it largely doesn't matter... **to Target**. Look at TJ Maxx's share prices during their debacle. Try to look at Sony's downward spiral and tie any part of it to security incidents -- it's dicey. And look at Target's share price: it went down in September, not December. So, if a company can dick around with mediocre security then throw PR and bandaids at it for far less.... well, it effin serves us right for letting them. But it's not a non-issue. If security fuckups like this hurt, we'd have chip and pin, or some other securer implementation than this mess.

I got the notice...

[EmagGeek]

I got the email notice from Target at TWO of my email accounts that my information had been stolen.

I pored over my financial data and found that I have not used any credit card at a Target store since 2008. So, obviously the breadth and depth of this attack are a lot more extensive than what they are telling us.

Either that or Target is simply blasting everyone in their email database whether or not they believe the customer's information was stolen, which says that Target still really has no idea whose information was taken and whose wasn't.

It really is a reflection of the vast incompetency of Target management. They don't know ANYTHING, and have just been firing the shotgun since this whole story broke.

Re:I got the notice...

[Abalamahalamatandra]

I read an article on this recently, it appears that Target contacted both those whose name/address/email had been compromised AND those who use their credit card there during the time period using the same email. They should have split the two.

So it's likely that your personal information was compromised, but not your credit card number. Be on the lookout for phishing attempts.

Re:I got the notice...

[ak3ldama]

You think this matters? We should have real concerns. In late October Resers had a listeria recall on a lot of products produced at one assembly plant for lots of sub-companies. There has been no followup in the news (post november) detailing any further testing by them or the FDA. That original recall was initiated due to testing done in Canada. Should there be any consumer confidence by the American public that we can trust a factory like this to produce safe food? Look at their recall window on those products, it has been expanded now and includes 2014 products. How often do they test!? Why are they still shipping this food if its being recalled? This problem was first exposed in October. How often do they do a thorough cleaning!? I have tried to followup and have not been told of _any_ routine testing done on American soil by either the FDA or the company in question. The Reser consumer rep literally told me consumers do not care about their quality practices and that she did not have any information for me on how often they test for this. I have tried to find out more and all I have to go on is public information in the news. All consumers have are gems like this and more questions:

The problem was discovered through microbiological testing by the Canadian Food Inspection Agency. A traceback investigation and follow-up testing by FDA at the facility determined there was potential cross contamination of products with Listeria monocytogenes from product contact surfaces.

Re:I got the notice...

[neo-mkrey]

I received an email last Dec about the breach and another one yesterday offering the free credit monitoring. So I called Target and asked when my new card with new numbers was coming. Turns out -- it wasn't. Customers have to specifically call and ask for new cards to be sent. WTF?!?! A simple solution to nip this in the bud -- issue new cards with new numbers -- and they aren't doing it? I guess they would rather eat the bogus charges. If I had any Target stock, I would dump it ASAP.

Re:I got the notice...

[EmagGeek]

It's funny, because at first I thought their email was a phishing attempt, because it did not come from target.com directly, and linked me to a website that had target logos and such but was also not a target.com domain. I had to make a phone call to find that it was legitimate.

Re:I got the notice...

I got the Experian monitoring offer to an email address I do not actively use any more since changing ISP's (seems it will not go away on its own, and some organizational senders simply cannot be persuaded to let me update my info...), but the only prior target.com email was from an online order 10 years ago!

Re:I got the notice...

Good to know - I have sort of been expecting new cards, and was thinking since we got renewed cards in November (yeah - just before the storm hit), it might have been lower on the "list". Guess it is time to get ON the list (or off the account...).

Limiting outbound access to servers is too tough

[Abalamahalamatandra]

So, time for me to rant, but on-topic, for a second.

Everybody knows, I would hope, that best practice is to never allow an Internet-facing server to initiate outbound traffic. This is both because, should the server get compromised, it becomes a new attack vector - as in Code Red or SQL Slammer. This is also because, as in Target's case, it makes it fairly trivial to exfiltrate stolen data.

But services still persist that require that this very access be enabled. My current case in point: ReCAPTCHA. Google hosts the URL for this service, intended to provide additional security, on a www.google.com URL, which means that, at minimum, I have to allow outbound access from any server hosting a ReCAPTCHA on port 443 to everything Google owns. In practice, of course, it's all but impossible to keep track of Google's address space for firewall purposes, so this means that I have to allow that server out on port 443 to the entire Internet. It's either that, or set up a proxy solution that can do URL filtering and then require the CAPTCHA verification code to use that. Not exactly something your typical smaller company using ReCAPTCHA is apt to do.

I've talked to competing, for-pay, services, and they require the same thing, despite the fact that they're smaller and have only a few, well-defined networks, but they won't commit to keeping me up-to-date with network changes.

We really need to start pushing back on this crap. Servers accepting inbound traffic should never need to initiate outbound communications.

More proactive blackholing of Russia?

[swb]

Should there be more proactive blackholing of Russia?

Is even practical given the many proxies, hacked non-Russian servers, etc?

Re:More proactive blackholing of Russia?

[Kardos]

That will not effectively stop credit card fraud.

Re:More proactive blackholing of Russia?

[jandrese]

Proxy servers exist. You've only delayed a Russian hacker maybe 5 minutes with this fix.

I don't see what the big deal is

[mandark1967]

I keep all my important financial information on servers in Eastern Europe and the Balkins.

They think they hacked me, but I'm just using them for free cloud storage.

Computer Engineer Order

What about having a strong Computer Engineer Order to protect the public, like all other real professions have?

Re:Obviuos question - Who else is infected?

[BosstonesOwn]

They usually target more then 1 chain, but have to taylor it to each chain as the pci-dss standard is enacted differently in each chain. Usually they will breach a big chain and use the same method for others but taylor the way they do it a bit differently and most times this helps them avoid early detection. Often the breach is discovered later, much later because it was not using the same carbon copy methods that were used in another breach.

Re:Limiting outbound access to servers is too toug

[trybywrench]

Unless I'm reading it wrong you're basically disabling webservices like making a SOAP call to a third party on behalf of the connecting user-agent. That's a non-starter for just about all companies that have at least one business partner.

Re:Limiting outbound access to servers is too toug

It would be easier to just admit that you have absolutely no idea what you're talking about than to demonstrate it so completely.

Re:Obviuos question - Who else is infected?

[jandrese]

Target's security is especially lax, but part of the problem here is the POS terminals that are apparently stuck running old unpatched versions of Java. That's an industry wide problem. You can limit the exposure with proper network security, but it means if anybody does breach your security they will have no trouble escalating that into full blown card disclosure.

Russia?

[hduff]

So if the person the credit card is issued to is gay, the Russians won't use the data?

OK.

nice film

[SkmdSa]

I'm tired of those who pretend to want to help us by giving a false link by clicking on the grounds that we can watch the film for free, but in the end we are exposed to computer viruses, if you want to watch this film I suggest to you free of charge for saw this film in http://goo.gl/Yde2KF there you can watch it free or you can download it, hopefully the information I provide will help you

The Russians need the money. . .

. . .to pay for all the security at the Olympics.

Re:Limiting outbound access to servers is too toug

No, he just wants to have a whitelist of acceptable outbound targets, and he wants the companies in charge of them to keep him up to date. So every time a business partner gets a new IP, he wants them to somehow instantly reconfigure his whitelist securely.

Re:Won't shop there again, but... Serious Option!

My emailed offer from Target specifies Experian’s® ProtectMyID® product. Actually, it came from "target.bfi0.com", so aroused my suspicions of typical phishing scams with a legitimate name padded in front of an unknown domain. However, some searching around on this topic revealed that this is a real Target effort, and that bfi0.com is one of those outsource companies that Target uses for bulk emails (yet another stupid Target "miss" - they should at least made it look like it was from target.com).

I guess it is ok, but am holding off for a few weeks (up until the deadline) to see if any more "interesting" revelations come out about this follow-up (as in is it a follow-up attack using the emails and other PII that were also stolen?). Probably it would be a good idea to contact Experian directly to see if they are aware of, and participating, in this supposed mollification attempt by Target.

Then there is the story of Target not cooperating with someone who spotted a $1200 bogus charge on his Target card until he coughed up all kinds of PII - in violation of "official" Target policy once a Boston CBS TV station started inquiring on behalf of the individual:
http://boston.cbslocal.com/2014/01/16/target-now-offering-free-credit-monitoring-for-customers-in-massive-data-breach/

Making me think more seriously about not doing anything electronic with Target, nor using their CC elsewhere (school where my wife teaches was getting a "kickback" from Target for any CC use, so that would hurt a bit, but others do that, too). I would still deal with them on a cash basis when they have good deals, but that will inhibit the big purchases for sure (and miss out on their 5% RedCard discount).

Damn, Target, you keep being too careless/obnoxious/stupid for me to want to deal with you!

YMMV

Re:It largely doesn't matter - IT DOES TO SOME!

A "business decision" to put customers at risk in expectation of being able to buy them off, is not ethical, and, in the long run, could well turn out to be a bad "business decision" if enough customers decide not to do any more business with that short-sighted, cynical business as a result. I am leaning strongly that way now...

Re:Limiting outbound access to servers is too toug

Nope, you're free to allow traffic to specific servers and ports, just not allow everything by default. It would make attack vectors so much less effective that it should be considered worth the effort.

it DOES matter!

[Steve+Hamlin]

That's not how fraud works, economically. You've just described a number of costs, borne by various parties in a fairly-competitive economic market place, including "that's what your double digit interest rate is paying for." And the conclude that "the consumer doesn't eat the fraud."

Economic losses from fraud are first borne by the directly-impacted party, and then those economic losses are passed around the economy according to various factors like pricing power and elasticities of supply and demand. Since 70% of the economy is consumer spending, then I posit that approximately 70% of all economic losses due to fraud are borne by consumers. Might be more or less, but just because Target's 100+ million affected customers are not directly impacted financially in a first-order way does not mean that they, or all consumers, don't ever see the financial impact of this fraud. They just absorb the financial impact in a thousand minor and unseen ways, as the fraud loss is absorbed into the macro-economy and attenuates down to imperceptible levels like the CMB.

Fraud is sand in the gears of the economy, and the resulting inefficiency ultimately affects every participant in or user of that machine.

Re:it DOES matter!

[Kardos]

You're right, the cost of fraud is spread out thinly over a variety of things, and yes, we're a bit less well off than we would be in a fraud-free scenario. It's very much like insurance, although less explicitly spelled out. A loss due to shady criminals, or a loss due to lightning strike, it's still a loss.

MEEEEOOOOWWW!!!!

SNOOOOOWWWWDEEEENNNN!!!

Yet another excuse to surcharge the small merchant

[speedlaw]

The only problem here is that the credit card industry will then figure out yet another way to screw the small merchant. PCI compliance is a great idea. The various "insurance policies" and "penalty fees for PCI noncompliance" pushed by the interchange companies are a rip off and farce. They aren't going after my small business......but I'll pay more money to someone because some Russians hacked Target. Thanks !!! By the way, why do we have interchange companies anyway ???

FUD machine

Has anyone managed to blame this on Snowden yet?

target can not secure it, anymore than the others

[WindBourne]

the reason is that they have outsourced their IT to India. So, now, you have 200 IT making $10K/year, who are not very well educated, and are not strong coders. They work for a company that employs ~250 ppl who have NO loyalty to a foreign company. After all, they have NO shops in India. Along comes somebody from Russia or China and offers just 1 person $100-200K to release a virus on the network. That money will set that person's extend family up for 5-10 years. And if that coder uses it just for his/her immediate family, they retire.

Now, to really make this interesting, they installed other trojans at the same time that it was spreading. If the systems are not all replaced in roughly the same time frame, then the trojans can simply move around. And in a couple of years, they can then re-start things up.

As long as America uses Windows for POSs, Mag stripe cards and outsources their work, they will continue to get ripped off.

Outsourced

http://articles.timesofindia.indiatimes.com/2011-07-21/strategy/29799173_1_retail-industry-outsourcing-vendors