Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kmart Says Its Payment System Was Hacked

Posted by timothy on from the worst-case-scenario dept.

wiredmikey writes Kmart is the latest large U.S. retailer to experience a breach of its payment systems, joining a fast growing club dealing successful hack attacks. The company said that on Thursday, Oct. 9, its IT team detected that its payment data systems had been breached, and that debit and credit card numbers appear to have been compromised. A company spokesperson told SecurityWeek that they are not able to provide a figure on the number of customers impacted. The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers.

10 of 101 comments (clear)

  1. social security? wtf by Spy+Handler · · Score: 4, Insightful

    why would Kmart even have your social security number?

    1. Re:social security? wtf by MasterOfGoingFaster · · Score: 4, Informative

      why would Kmart even have your social security number?

      Uh... Employees?

      --
      Place nail here >+
  2. So this affects... by BUL2294 · · Score: 4, Funny

    ...nobody.

    --
    Windows 3.1x calc: 3.11 - 3.10 = 0.00
  3. It would be quicker by Coditor · · Score: 5, Funny

    to list who hasn't been hacked yet. I wonder if these big companies buy their security systems at K-Mart.

  4. Officials estimates losses by jpellino · · Score: 5, Funny

    in the dozens of dollars.

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
  5. Also at krebsonsecuritycom by manu0601 · · Score: 4, Informative

    Brian Krebs covered it too: http://krebsonsecurity.com/2014/10/malware-based-credit-card-breach-at-kmart/

  6. Does K-Mart use the same stuff as Sears? by mlts · · Score: 4, Interesting

    Sears, last time I checked was a definite IBM AIX shop with the point of sale terminals being a tad more than IBM 3151 VTs, except with a credit scanner and cash drawer. Is K-Mart on a different system, or do both Sears and K-Mart use the same POS these days?

    Malware on Windows is one thing... nailing AIX systems actually would be an accomplishment.

    1. Re:Does K-Mart use the same stuff as Sears? by execthis · · Score: 3, Interesting

      Based on what the article says about what happened - that it was actual POS malware - I still am not able to figure out a methodology that would enable such an attack to work.

      Let's say someone manages to put malware on a POS device. Ok. But now how would that malware be able to communicate any information to the thieves? I cannot imagine that the POS device is just sitting on the 'net without a strict firewall in front of it allowing it access to one - and only one - address: that of the company that provides the line/aggregates the data which feeds ultimately to the merchant account provider who handles the transactions for the company.

      If the POS malware tries to "phone home" with data, it should never ever be able to connect.

      So the issue to me becomes more than whether a POS device actually got malware on it - what kind of setup could exist such that the device would ever have the opportunity to connect with any other host than the predesignated one it is allowed to???

  7. Re:My shopping is becoming limited by mlts · · Score: 3, Insightful

    Very true. I'm reminded of one vendor that as part of the contract got their own direct connect to company LANs in order to directly service/support their software. I always worried that all it took was some compromise on the vendor's side, and it was a big gaping hole that could be easily nailed. The vendor was pretty much protected (part of the software contract), so if they got hacked, it was pretty much game over.

    I did stick in a firewall though. The vendor had unfettered access to their machines... but no unrelated boxes, and their machines were also sectioned off. However, it was like putting a bandaid on a bullet wound, because of all the things their software touched.

    Point of sale systems are not rocket science. We had better quality of code when game companies made Playstation 1 CDs (as they could not be updated, so what was released was it.) It might just be time to return to that finished quality of code... but still have an update mechanism. An update mechanism that requires not just signed firmware, but someone physically pressing a button (so the software can't be remotely updated.)

  8. almost said my company, would be a Target by raymorris · · Score: 5, Funny

    I almost mentioned the name of my company as the one that hasn't been hacked. We take security very seriously. No Microsoft products are allowed on the premises, employees are armed, etc.

    Then I realized posting that could make us a Target.