Kmart Says Its Payment System Was Hacked

wiredmikey writes Kmart is the latest large U.S. retailer to experience a breach of its payment systems, joining a fast growing club dealing successful hack attacks. The company said that on Thursday, Oct. 9, its IT team detected that its payment data systems had been breached, and that debit and credit card numbers appear to have been compromised. A company spokesperson told SecurityWeek that they are not able to provide a figure on the number of customers impacted. The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers.

social security? wtf

[Spy+Handler]

why would Kmart even have your social security number?

Re:social security? wtf

[MasterOfGoingFaster]

why would Kmart even have your social security number?

Uh... Employees?

Re:social security? wtf

Kmart credit cards?

Re:social security? wtf

FTFA "The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers."

Must be trure, if a spokesperson said it was.

Re:social security? wtf

[Vellmont]

Most stores these days have their own store credit cards. To apply for them you give them your SS#.

Re:social security? wtf

[lister+king+of+smeg]

why would Kmart even have your social security number?

Because they ask for it to look up your Sears credit card if you don't have it with you. Yes it is stupid

Re: social security? wtf

[EthanV2]

I'd like to know what has actually been leaked, since everything in that list is generally stuff that would be leaked in a breach of a payment system.

Re: social security? wtf

[bill_mcgonigle]

If you even go in to buy a candy bar they will ask you to apply for a credit card at the register. Even if you are eleven years old (happened to my daughter last week). Then they give you seven feet of receipt material with coupons, surveys, and a copy of the Magna Carta.

They are so going out of business. I would be short on the stock.

So this affects...

[BUL2294]

...nobody.

Re:So this affects...

So this affects nobody.

Not quite. I have elderly relatives that live in a rural area that, for some reason, only has a K-Mart. No Target, no Wal-Mart, and very little by way of decent local shopping. The closest Wal-Mart is almost an hour's drive away, and Target is closer to two, so if you live there and want something that isn't groceries, you basically have no choice but to go to K-Mart. (As you might expect, it's a piss-poor example of a store, because there's absolutely no reason to care. It's not like the shoppers have a choice.)

I'm not looking forward to having to explain to them what happened and why it affects them. They've already had to deal with their bank account being cleaned out in the past after some online vendor they used got breached. Hopefully doesn't happen again.

Re:So this affects...

[reboot246]

Advise them to pay cash for whatever they buy in brick and mortar stores, plus limit online buying to only when necessary.

It would be quicker

[Coditor]

to list who hasn't been hacked yet. I wonder if these big companies buy their security systems at K-Mart.

Officials estimates losses

[jpellino]

in the dozens of dollars.

Also at krebsonsecuritycom

[manu0601]

Brian Krebs covered it too: http://krebsonsecurity.com/2014/10/malware-based-credit-card-breach-at-kmart/

hacking-envy

[turkeydance]

if your company hasn't been hacked...well, that sucks for you.

Does K-Mart use the same stuff as Sears?

[mlts]

Sears, last time I checked was a definite IBM AIX shop with the point of sale terminals being a tad more than IBM 3151 VTs, except with a credit scanner and cash drawer. Is K-Mart on a different system, or do both Sears and K-Mart use the same POS these days?

Malware on Windows is one thing... nailing AIX systems actually would be an accomplishment.

Re:Does K-Mart use the same stuff as Sears?

[ArchieBunker]

Kmart has newer registers but the screen where you swipe credit cards looks like OS/2 or Win 3.1 judging by the hourglass displayed.

Re:Does K-Mart use the same stuff as Sears?

[execthis]

Based on what the article says about what happened - that it was actual POS malware - I still am not able to figure out a methodology that would enable such an attack to work.

Let's say someone manages to put malware on a POS device. Ok. But now how would that malware be able to communicate any information to the thieves? I cannot imagine that the POS device is just sitting on the 'net without a strict firewall in front of it allowing it access to one - and only one - address: that of the company that provides the line/aggregates the data which feeds ultimately to the merchant account provider who handles the transactions for the company.

If the POS malware tries to "phone home" with data, it should never ever be able to connect.

So the issue to me becomes more than whether a POS device actually got malware on it - what kind of setup could exist such that the device would ever have the opportunity to connect with any other host than the predesignated one it is allowed to???

Re:Does K-Mart use the same stuff as Sears?

It would be an accomplishment. Mainframe OSes, AIX, and Solaris have an impeccable record for security these days (before 2000, different story, as Sun was often bashed... but with MS as the absolute focus for the bad guys with OS X and Linux trailing), hacking an AIX box is a lot more difficult than Windows.

1: AIX has trustchk. If the executable isn't signed, it doesn't run. Linux doesn't have this functionality, and has to be done in userland. Even modified libraries won't load. Of course, this functionality is limiting, but for a static system like a cash register, it is useful.

2: AIX has a far better patch install system than anything out there. You can reject a patch and go back to the previous update. No other OS is this possible without restoring or reinstalling. Once confident with a patch, you can commit it and free the space.

3: AIX has both VMs (LPARs) and partitions (WPARs). It is easy to separate applications for defense in depth.

4: SELinux's functionality is far expanded in AIX and Solaris. Solaris 11 has no root user by default. Root is just a schmuck like every other UID. This can be changed, but hacking UID 0 means little. AIX, root can be completely removed to the point where one reboots a LPAR or machine to a service partition for updates, and boots back. This keeps users completely separated and unless there is a way to find a hole to get into kernel space on the POWER architecture, a library attack like Shellshock won't do much, if anything.

All and all, Linux is great, and has made light-years of improvements. But Solaris and AIX have not stood still, and are still ahead as enterprise-grade operating systems. For 99% of use cases, Linux is fine. However, there are items (like the need for ZFS which is at best stitched on Linux) where Solaris and AIX are musts.

Of course, the downside of AIX is that it is IBM, and thus insanely expensive... but you do get what you pay for.

Re:Does K-Mart use the same stuff as Sears?

[plover]

While it's possible (unlikely in these days of PCI) that a POS register could have a direct route to the internet, it's also likely that the registers weren't the only machines in their system that were hacked. It is probable that the criminals found a little-used server in K-Mart's HQ systems, compromised it, and set up what's called a "dump site." The registers are then configured to exfiltrate their data to this internal HQ server, perhaps by periodic FTP, and the hackers had the HQ server send batches of data out to the internet at a later time.

Re:Does K-Mart use the same stuff as Sears?

[execthis]

I was thinking that the only possibilities for the theft to happen would have to be either a) there's an administrative access to the POS systems which was breached, kind of similar to what you are saying; or b) there's some manipulation of the physical infrastructre at (a) store(s) in addition to POS malware. For example some malicious host could be inserted in the pathway of communication of the POS systems. My guess is that that isn't too likely.

More likely is something like a), or what you suggest. There was a breach in the firewall, most likely something that was permitted for administrative purposes but turned out to sloppy/insecure.

Too bad with security breaches like this one doesn't generally get an opportunity to look at the topology involved and see what actually happened with the breach. It would be a very interesting thing to study.

My shopping is becoming limited

As an IT security guy, I really find all these cracks disheartening. I guess the IT staff at these places don't really understand that security is a process, not a product. You cannot throw up a router with some ACLs and firewall or two and expect to be secure. Neither can you not make constant audits of your backend payment systems and expect security.

I've already stopped shopping at Target permanently because of their debacle. I stopped shopping at Walmart this week due to their cancelling health benefits for all part time workers despite being able to afford it and then some. Who is next to not pay attention to their security posture?

Re:My shopping is becoming limited

[ArcadeMan]

Can't you pay with regular, non-computerized cash?

Re:My shopping is becoming limited

And, don't forget that the IT staff often have to allow a big, gaping hole in the firewall to allow the vendor(s) to update your POS software per contract.

Re:My shopping is becoming limited

[networkzombie]

As an IT security guy, I don't used my credit card at Target, Sears, Kmart, Walmart, Home Depot, or any of the large targets (no pun intended). I use cash at those places (and gas stations) because it is obvious they were employing on the cheap. Low paid employees+massive transactions=easy target. They are the low hanging fruit. I use my credit card at Newegg and my favorite small restaurant where I know the owner. At least if they get hacked I will get an apology. When I setup my customers/clients to accept credit cards, I fill out the mandatory PCI compliance form for them. What a joke! Half the time the never follow up, like they say they have to, and the form basically asks if you have antivirus on the computer. Can I get an audit please? Where does the tax money go?

Re:My shopping is becoming limited

[mlts]

Very true. I'm reminded of one vendor that as part of the contract got their own direct connect to company LANs in order to directly service/support their software. I always worried that all it took was some compromise on the vendor's side, and it was a big gaping hole that could be easily nailed. The vendor was pretty much protected (part of the software contract), so if they got hacked, it was pretty much game over.

I did stick in a firewall though. The vendor had unfettered access to their machines... but no unrelated boxes, and their machines were also sectioned off. However, it was like putting a bandaid on a bullet wound, because of all the things their software touched.

Point of sale systems are not rocket science. We had better quality of code when game companies made Playstation 1 CDs (as they could not be updated, so what was released was it.) It might just be time to return to that finished quality of code... but still have an update mechanism. An update mechanism that requires not just signed firmware, but someone physically pressing a button (so the software can't be remotely updated.)

Re:My shopping is becoming limited

[RussR42]

You could try. But if the police see you with cash, they'll take it away.

It's a Pin, Chip!

[rmdingler]

It's too bad someone hasn't come up with a way to make credit cards that cannot be compromised in this manner.

Re:It's a Pin, Chip!

[ShanghaiBill]

How does that chip help when you are shopping online?

You insert it into a device attached to the USB on your computer. The chip is queried and authenticated in real time as you make your purchase. I have a bank account in China, and that is how it works there to do online transactions.

Re:It's a Pin, Chip!

[Rich0]

Woud such a chip device ever be allowed to have Linux drivers, considering how hard everything is getting hacked today, even without their existance?

I don't know how Chip/PIN was actually implemented, but if the makers had half a brain there would be no reason not to make the drivers/protocols/etc completely open. There is no reason that the system should have to rely on the security of the POS terminal - the crypto happens on the smartcard and all the terminal should do is relay stuff between the bank and the card. In fact, I don't get why they don't just put the keypad on the card itself, making the PIN harder to steal, as well as the credential on the chip.

Re:It's a Pin, Chip!

[ShanghaiBill]

I don't get why they don't just put the keypad on the card itself

In the near future, they will, because "the card" will be your cellphone.

Re:It's a Pin, Chip!

[Rich0]

I don't get why they don't just put the keypad on the card itself

In the near future, they will, because "the card" will be your cellphone.

The problem with this is that it is actually not easy to ensure that the path between the TPM and the phone touchscreen isn't compromised. You can secure the credentials in the TPM, but the PIN is harder to secure when it is entered on a device intended for general-purpose computing.

Should retailers store credit card details?

[Midnight+Thunder]

Beyond transactions, I wonder whether retailers should even be storing credit card information? Surely debating this problem to the credit card companies would be better? The only thing combines should be keep is maybe some sort of public key value for the credit card, which can only be unlocked with a user provide value. The private key would be in the hands of the credit card company to access your account.

I am thinking on the fly here, but the main gist is the less credit card details stored by non-credit card companies the better. These retailers could secure their systems better, but maybe they shouldn't be holding on to certain critical information either? We need to review what financial data is held in light of these issues.

In Europe you have a one time key for your online payments, that requires a special calculator looking device. Probably not the best solution, but not a terrible one either - it's just inconvenient and not necessarily clear to the non-tech savie.

Re:Should retailers store credit card details?

[Teresita]

In other news, people who actually have credit cards go to K-Mart...

Re:Should retailers store credit card details?

[jtownatpunk.net]

I guess you missed the part where it's the payment systems that are being compromised in recent hacks. The way our credit/debit system works, the retailer must have your account information for as long as it takes to process the transaction. When it's the terminal where you swipe your card that's compromised and passing a copy of your data to thieves, what can you (the consumer) do?

I wrote up a description of a payment system which never gives account information to retailers a while back but can't find it now. Basically a USB doohickey with biometric authentication (fingerprint scanner with pulse check), a small display, and a couple-three buttons. You plug it into the payment terminal (no wireless, goddamnit!) and, it makes a secure connection to the payment processor and indicates that you are conducting a transaction with Retailer XYZ. Retailer XYZ's payment terminal connects to the payment processor and says it's conducting a transaction with and you owe $119.37. The payment processor communicates the total to your doohickey via its secure connection which shows you the amount requested and asks if you for authorization to transfer $119.37 to Retailer XYZ from your primary payment account. You say yes/other account/no and the transaction either continues or is cancelled.

As long as the payment processor is secure, you're good. While that's still an issue, it reduces the points of failure significantly. It could also be used for all your authentication needs. Computers, online accounts, game consoles, secure buildings, etc. Secondary verification could also be added with SMS or a smartphone app.

Gotta do something because individual retailers all being responsible for their own security clearly isn't working. I lost my account number of 15 years thanks to the Home Depot crap. :P

Re:Should retailers store credit card details?

[tlhIngan]

I am thinking on the fly here, but the main gist is the less credit card details stored by non-credit card companies the better. These retailers could secure their systems better, but maybe they shouldn't be holding on to certain critical information either? We need to review what financial data is held in light of these issues.

In Europe you have a one time key for your online payments, that requires a special calculator looking device. Probably not the best solution, but not a terrible one either - it's just inconvenient and not necessarily clear to the non-tech savie.

It's all Apple's fault. I mean, three big targets hit? It certainly sounds like a recipe for promoting Apple Pay, to be honest.

(And no, Apple Pay is nothing special - it's just an implementation of EMV. What makes it "better" is nothing - it's just an implementation of EMV, including the fact that when you register a card, Apple contacts the bank and returns a virtual credit card number (the "token") which is stored in the phone. That token cannot be linked back to a real credit card except at the institution that issued the token. All you need to do is either delete the link or delete the token or both that render it invalid for future purchases. It's also why Apple can't see your transactions, and how banks know when you use Apple Pay - it's basically just a glorified credit card. Google Wallet, OTOH, puts Google in the middle - retailers bill Google and Google bills you, so Google knows every transaction you make).

And yes, it's why Apple Pay works with basically everyone - deep down, all it is is a virtual credit card. If you accept Visa/MC/Amex, Apple Pay means zero effort on your part to support. To support Google Wallet means actually having to have your payment processor support Google.

And since it can't be linked, when something like this happens, you cancel the token and get a new one issued.

Yes, it's all Apple's fault. You can bet Apple is paying hackers to do these breaches to promote h ow safe Apple Pay is since you can easily "fix it" in 5 minutes.

Pharmacy

[breman]

maybe they were going for the medical records, I heard that's big business these days.

Cash is king

[AndyKron]

That's why I use cash

Re:Cash is king

[un1nsp1red]

Plus, it makes you look like a baller.

This is terrible

[Ghoser777]

That's 10 more people who have had their personal information compromised.

Re:BLUE LIGHT SPECIAL !!

[Tablizer]

Blue Screen Special

Protect yourself from crackers the easy way

[msobkow]

Keep a sub-$1 balance in your bank account. :P

Re:Protect yourself from crackers the easy way

[msobkow]

Not when you don't have overdraft protection.

Shady practices.

Last I knew - K-Mart's parent corporation Sears, rolled all their "Sears" cards over to Citibank. When I started getting suprize charges from "Sears Home Health" and called the number on the back of the "Sears" card to complain/dispute the charges - they told me "This is Citibank - if you have a dispute - dispute it with the company who charged it". I was like "this is a Sears card - I got a charge from Sears - I am calling Sears". Turns out - sometime magically three different companies - none of whom wanted to easily reverse any charges.

Long story short - I am sure that K-Mart merely decided to adopted a new business practice selling customers' social security numbers to Nigerian scammers or something. It would be pretty par-for-the-course for them.

Doubtful forensics and common sense

[ruir]

I wonder if they have been hacked for months wether their systems and forensics are reliable enough to say for sure any personal data is not at risk. I doubt a lot they have systems in places to be able to say that with a 100% security margin. As for the current hacked systems being hacked or/with malware, anyone with common sense should not use Windows to drive critical systems.

Re:BLUE LIGHT SPECIAL !!

[plover]

"ATTENTION K-MART HACKERS!

We have a special deal for you under the flashing blue screen. Credit card numbers, all you can stuff in a ZIP file. The blue screen will only be there for the next month or so, so hurry on over and check out the checkouts."

HACK ATTACK

[darkain]

Am I the only onw who thinks "Hack Attack" would be an awesome band name !?

Re:BLUE LIGHT SPECIAL !!

[NotQuiteReal]

umm... the color blue? Loose associations come easily to those who drink-n-post.

almost said my company, would be a Target

[raymorris]

I almost mentioned the name of my company as the one that hasn't been hacked. We take security very seriously. No Microsoft products are allowed on the premises, employees are armed, etc.

Then I realized posting that could make us a Target.

Re:almost said my company, would be a Target

[Gazzonyx]

I almost mentioned the name of my company as the one that hasn't been hacked. We take security very seriously. No Microsoft products are allowed on the premises, employees are armed, etc.

Then I realized posting that could make us a Target.

Well played, sir. Well played.

Re:Kmart? wtf

[JWSmythe]

That's pretty much what I was thinking. I thought they had all closed a few years ago.

K-mart sucks

[liquidghondi]

Dr. Bruner: Well, Raymond? Aren't you more comfortable in your favorite K-Mart clothes? Charlie: Tell him, Ray. Raymond: K-Mart sucks. Dr. Bruner: Oh, I see. Charlie: Hey, Ray: you just made a joke. Raymond: Yeah, a joke. Ha ha ha... ha.

Another day another major data breach...

[mschwanke97402]

I vote that we force these corporations to take data security and IT in general more seriously. First, cut off their online credit card processing. They can use the old mechanical card swipers for a while. Once they have seriously upgraded their systems, and been independently audited, they can go back online. Require them to submit to thorough systems audits and spot checks for 5 years or so. Perhaps corporate management will get the message that IT may not be a profit center but it is necessary to continued operations.

How do you hack a crank calculator

[RubberDogBone]

KMart is well known for having barely any IT infrastructure, and what they DO have doesn't work well. They are literally one step removed from only hand-crack adding machines.

How DO you hack that?

Yes this is a serious question. One of the key differences between Walmart and KMart was how each company approached IT back in the 80s when this stuff became affordable and powerful. Walmart embraced data and wrapped their whole process around it and still uses it quasi-magical ways to glean trends, predict sales, do reorders, and find efficiencies. They extract value from data just like they squeeze their suppliers.

KMart, on the other hand, looked at computers and laughed and went on laughing for years, not noticing as Walmart out flanked them and eventually drove them into the ground head first. KMart is barely alive now, because they spent decades not having any idea what was even in the stores or what was selling. They didn't know, didn't care, had no way to handle the data even if they had it, and generally treated IT like nothing more than office internet connections to surf Yahoo.

Baseline Magazine, I believe it was, did a stellar piece on Walmart vs. Kmart and how each handled IT as of about 10 years ago. KMart is not painted on a good light. It's actually amazing an organization as incompetent as KMart is even still in business. .They have never gotten it and still don't.

Walmart had them beat years before it happened, because Walmart knew all the data. They won the war in the server room. KMart never had a chance and didn't even fight back.

K-Mart Hacked

[Gruff+2005]

K-Mart knew their system was breached 1 month ago, and only now made it public. Don't shop there never will.