Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kmart Says Its Payment System Was Hacked

Posted by timothy on from the worst-case-scenario dept.

wiredmikey writes Kmart is the latest large U.S. retailer to experience a breach of its payment systems, joining a fast growing club dealing successful hack attacks. The company said that on Thursday, Oct. 9, its IT team detected that its payment data systems had been breached, and that debit and credit card numbers appear to have been compromised. A company spokesperson told SecurityWeek that they are not able to provide a figure on the number of customers impacted. The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers.

20 of 101 comments (clear)

  1. social security? wtf by Spy+Handler · · Score: 4, Insightful

    why would Kmart even have your social security number?

    1. Re:social security? wtf by MasterOfGoingFaster · · Score: 4, Informative

      why would Kmart even have your social security number?

      Uh... Employees?

      --
      Place nail here >+
    2. Re:social security? wtf by lister+king+of+smeg · · Score: 2

      why would Kmart even have your social security number?

      Because they ask for it to look up your Sears credit card if you don't have it with you. Yes it is stupid

      --
      ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
  2. So this affects... by BUL2294 · · Score: 4, Funny

    ...nobody.

    --
    Windows 3.1x calc: 3.11 - 3.10 = 0.00
  3. It would be quicker by Coditor · · Score: 5, Funny

    to list who hasn't been hacked yet. I wonder if these big companies buy their security systems at K-Mart.

  4. Officials estimates losses by jpellino · · Score: 5, Funny

    in the dozens of dollars.

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
  5. Also at krebsonsecuritycom by manu0601 · · Score: 4, Informative

    Brian Krebs covered it too: http://krebsonsecurity.com/2014/10/malware-based-credit-card-breach-at-kmart/

  6. hacking-envy by turkeydance · · Score: 2

    if your company hasn't been hacked...well, that sucks for you.

  7. Does K-Mart use the same stuff as Sears? by mlts · · Score: 4, Interesting

    Sears, last time I checked was a definite IBM AIX shop with the point of sale terminals being a tad more than IBM 3151 VTs, except with a credit scanner and cash drawer. Is K-Mart on a different system, or do both Sears and K-Mart use the same POS these days?

    Malware on Windows is one thing... nailing AIX systems actually would be an accomplishment.

    1. Re:Does K-Mart use the same stuff as Sears? by execthis · · Score: 3, Interesting

      Based on what the article says about what happened - that it was actual POS malware - I still am not able to figure out a methodology that would enable such an attack to work.

      Let's say someone manages to put malware on a POS device. Ok. But now how would that malware be able to communicate any information to the thieves? I cannot imagine that the POS device is just sitting on the 'net without a strict firewall in front of it allowing it access to one - and only one - address: that of the company that provides the line/aggregates the data which feeds ultimately to the merchant account provider who handles the transactions for the company.

      If the POS malware tries to "phone home" with data, it should never ever be able to connect.

      So the issue to me becomes more than whether a POS device actually got malware on it - what kind of setup could exist such that the device would ever have the opportunity to connect with any other host than the predesignated one it is allowed to???

    2. Re:Does K-Mart use the same stuff as Sears? by Anonymous Coward · · Score: 2, Informative

      It would be an accomplishment. Mainframe OSes, AIX, and Solaris have an impeccable record for security these days (before 2000, different story, as Sun was often bashed... but with MS as the absolute focus for the bad guys with OS X and Linux trailing), hacking an AIX box is a lot more difficult than Windows.

      1: AIX has trustchk. If the executable isn't signed, it doesn't run. Linux doesn't have this functionality, and has to be done in userland. Even modified libraries won't load. Of course, this functionality is limiting, but for a static system like a cash register, it is useful.

      2: AIX has a far better patch install system than anything out there. You can reject a patch and go back to the previous update. No other OS is this possible without restoring or reinstalling. Once confident with a patch, you can commit it and free the space.

      3: AIX has both VMs (LPARs) and partitions (WPARs). It is easy to separate applications for defense in depth.

      4: SELinux's functionality is far expanded in AIX and Solaris. Solaris 11 has no root user by default. Root is just a schmuck like every other UID. This can be changed, but hacking UID 0 means little. AIX, root can be completely removed to the point where one reboots a LPAR or machine to a service partition for updates, and boots back. This keeps users completely separated and unless there is a way to find a hole to get into kernel space on the POWER architecture, a library attack like Shellshock won't do much, if anything.

      All and all, Linux is great, and has made light-years of improvements. But Solaris and AIX have not stood still, and are still ahead as enterprise-grade operating systems. For 99% of use cases, Linux is fine. However, there are items (like the need for ZFS which is at best stitched on Linux) where Solaris and AIX are musts.

      Of course, the downside of AIX is that it is IBM, and thus insanely expensive... but you do get what you pay for.

  8. Re:Should retailers store credit card details? by Teresita · · Score: 2

    In other news, people who actually have credit cards go to K-Mart...

  9. Re:My shopping is becoming limited by ArcadeMan · · Score: 2

    Can't you pay with regular, non-computerized cash?

    --
    Get free satoshi (Bitcoin) and Dogecoins
  10. Cash is king by AndyKron · · Score: 2

    That's why I use cash

  11. This is terrible by Ghoser777 · · Score: 2

    That's 10 more people who have had their personal information compromised.

    --
    James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
  12. Protect yourself from crackers the easy way by msobkow · · Score: 2

    Keep a sub-$1 balance in your bank account. :P

    --
    I do not fail; I succeed at finding out what does not work.
  13. Re:It's a Pin, Chip! by ShanghaiBill · · Score: 2

    How does that chip help when you are shopping online?

    You insert it into a device attached to the USB on your computer. The chip is queried and authenticated in real time as you make your purchase. I have a bank account in China, and that is how it works there to do online transactions.

  14. Re:My shopping is becoming limited by mlts · · Score: 3, Insightful

    Very true. I'm reminded of one vendor that as part of the contract got their own direct connect to company LANs in order to directly service/support their software. I always worried that all it took was some compromise on the vendor's side, and it was a big gaping hole that could be easily nailed. The vendor was pretty much protected (part of the software contract), so if they got hacked, it was pretty much game over.

    I did stick in a firewall though. The vendor had unfettered access to their machines... but no unrelated boxes, and their machines were also sectioned off. However, it was like putting a bandaid on a bullet wound, because of all the things their software touched.

    Point of sale systems are not rocket science. We had better quality of code when game companies made Playstation 1 CDs (as they could not be updated, so what was released was it.) It might just be time to return to that finished quality of code... but still have an update mechanism. An update mechanism that requires not just signed firmware, but someone physically pressing a button (so the software can't be remotely updated.)

  15. almost said my company, would be a Target by raymorris · · Score: 5, Funny

    I almost mentioned the name of my company as the one that hasn't been hacked. We take security very seriously. No Microsoft products are allowed on the premises, employees are armed, etc.

    Then I realized posting that could make us a Target.

  16. How do you hack a crank calculator by RubberDogBone · · Score: 2

    KMart is well known for having barely any IT infrastructure, and what they DO have doesn't work well. They are literally one step removed from only hand-crack adding machines.

    How DO you hack that?

    Yes this is a serious question. One of the key differences between Walmart and KMart was how each company approached IT back in the 80s when this stuff became affordable and powerful. Walmart embraced data and wrapped their whole process around it and still uses it quasi-magical ways to glean trends, predict sales, do reorders, and find efficiencies. They extract value from data just like they squeeze their suppliers.

    KMart, on the other hand, looked at computers and laughed and went on laughing for years, not noticing as Walmart out flanked them and eventually drove them into the ground head first. KMart is barely alive now, because they spent decades not having any idea what was even in the stores or what was selling. They didn't know, didn't care, had no way to handle the data even if they had it, and generally treated IT like nothing more than office internet connections to surf Yahoo.

    Baseline Magazine, I believe it was, did a stellar piece on Walmart vs. Kmart and how each handled IT as of about 10 years ago. KMart is not painted on a good light. It's actually amazing an organization as incompetent as KMart is even still in business. .They have never gotten it and still don't.

    Walmart had them beat years before it happened, because Walmart knew all the data. They won the war in the server room. KMart never had a chance and didn't even fight back.

    --
    Sig for hire.