×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Target Confirms Point-of-Sale Malware Was Used In Attack

samzenpus posted about 3 months ago | from the weapon-of-choice dept.

Security 250

wiredmikey writes "According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country. Steinfhafel told CNBC's Becky Quick in an interview that malware was used in attacks that compromised the company's point of sale registers. According to a report from Reuters, Target and Neiman Marcus may not be alone, as other popular U.S. retailers may have been breached during the busy the holiday shopping season. According sources who spoke to Reuters, attackers used RAM scraper, or Memory parser malware to steal sensitive data from Target and other retail victims. Visa issued alerts about attacks utilizing these types of malware in April 2013 and again in August 2013. Memory parser malware targets payment card data being processed 'in the clear' (unencrypted) in a system's random access memory (RAM). 'The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,' Visa explained in a security advisory."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

250 comments

NSA-level shit (0)

mozumder (178398) | about 3 months ago | (#45942631)

These Russian hackers know their shit.. almost as good as the NSA.

There's a good case to be made for the NSA to go after them at this point.

Who's against the NSA now??

Re:NSA-level shit (2)

jeffmeden (135043) | about 3 months ago | (#45943375)

These Russian hackers know their shit.. almost as good as the NSA.

There's a good case to be made for the NSA to go after them at this point.

Who's against the NSA now??

Ah, er, if it were actually the NSA that engaged in protecting against/pursuing/prosecuting these types of things, then yes not as many people would be "Against" them. Alas, they don't (and make no promises to) do anything of the sort. Continuing to snoop on unsuspecting people around the world? That IS in their wheelhouse.

Re:NSA-level shit (1)

Charliemopps (1157495) | about 3 months ago | (#45943457)

Who's against the NSA now??

ME

use bitcoin (1)

h00manist (800926) | about 3 months ago | (#45943511)

they should have used bitcoin in the stores.

Re:use bitcoin (5, Insightful)

DickBreath (207180) | about 3 months ago | (#45943585)

Maybe instead, there is something Target should NOT have used in their store POS systems.

http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000009407

Malware (0)

Anonymous Coward | about 3 months ago | (#45942639)

But was that malware also responsible for a first post?

Cheap architecture + short cuts = DOOM (4, Insightful)

ackthpt (218170) | about 3 months ago | (#45942669)

There's any number of ways their POS system could have been done securely, but somewhere a decision must have been made on costs, in regard to paring them down, which resulted in something about as secure as an intranet of unprotected Windows XP computers exposed to the internet. No isolated network, no encryption, dependence upon commodity *cough* Windows *cough* operating system, etc.

I'm sure it all looked great, until this happened, then they get 200% more wise.

Seems everywhere I go these cheap systems are in place and the malware may already be chugging along for years without detection.

Re:Cheap architecture + short cuts = DOOM (4, Interesting)

Stormy Dragon (800799) | about 3 months ago | (#45942713)

Really, the card companies ought to be black boxing the readers, so that the POS system never has access to unencrypted transaction information to begin with. They really only need to know if the transaction was approved.

They already do this for small retailers (those little card reader/tape dispenser thingies sitting next to the register). They need to start forcing a similar system on the big retailers.

Re:Cheap architecture + short cuts = DOOM (2)

lgw (121541) | about 3 months ago | (#45942777)

ATM number keyboards are special: they never let a PIN into the RAM of the ATM, only a slated hash of the PIN. (Most of them are also horribly flawed in that they also have a "normal" mode, allowing a hacked ATM to display a UI to harvest PINs in that mode. Sigh.)

Use this same technique for card readers: the magstripe reader doesn't ever put the raw bits on the wire, only a salted hash of those bits, so that's all that's available to a RAM scraper.

Re:Cheap architecture + short cuts = DOOM (2, Interesting)

Anonymous Coward | about 3 months ago | (#45943399)

ATM keypads don't generate hashes of your pin. They hold a cryptographic key that is dervied form another key from the network and then use the resulting key to encrypt your pin entry, but you are correct. Those keys and your pin number are held in memory on the pin pad.

Re:Cheap architecture + short cuts = DOOM (1)

Anonymous Coward | about 3 months ago | (#45942847)

Yes, I'm not sure why the unencrypted card stripe data needs to be anywhere except in the little black box (LBB) that swipes the card and the bank's computer.

The interface between the cash register and LBB could/should be.
      I need this much money.
         
    Ok, here's the confirmation number.

Re:Cheap architecture + short cuts = DOOM (5, Interesting)

aviators99 (895782) | about 3 months ago | (#45942883)

In 2015, EMV becomes required in the US. Those retailers who don't black box their card readers will be 100% liable for fraud at their point-of-sale (including stolen cards).

Re:Cheap architecture + short cuts = DOOM (1)

Anonymous Coward | about 3 months ago | (#45943509)

Just not-picking, but EMV is not a requirement, but if a retailer doesnt have EMV capable POS/ATM readers and your bank does, then the retailer is liable for the fraud. If the retailer has EMv and the bank doesn', then the bank is liable for the fraud.

Also, the deadline varies by acquiring network.

Re:Cheap architecture + short cuts = DOOM (5, Interesting)

Anonymous Coward | about 3 months ago | (#45942947)

I'm very surprised that Target thinks that every register in every store was infected. Just getting them all running the same malware is a major feat. And how did this POS malware get ahold of the 70 million "guest" records that weren't on the POS devices?

Re:Cheap architecture + short cuts = DOOM (1)

Anonymous Coward | about 3 months ago | (#45943011)

It is still much cheaper for these companies to offer "protection" and re-imburse card holders than to be proactive about security past a certain point.

Until this changes (someone brings down the entire system, exposing *everything*), the companies will continue to operate as usual.

Re:Cheap architecture + short cuts = DOOM (4, Insightful)

catfood (40112) | about 3 months ago | (#45943209)

That's because they're not paying the full costs of the damage they allow through poor security practices. If they reimbursed you and me a millions of other people for our time and effort to clean up their mess, it wouldn't be cheaper than solving the problem.

Re:Cheap architecture + short cuts = DOOM (4, Interesting)

udachny (2454394) | about 3 months ago | (#45943035)

I build and support retail management systems, supply chain management, CRM, ERP for retailers, for suppliers, for shipping, logistics and such. The simplest way to use a bank terminal is NOT to connect it to a POS in the first place. But this means lack of integration and possible errors by a POS operator, if for example they have to indicate in the POS system whether the it was a cash or a card transaction, etc. We provide our own Linux based solutions for all parts of the business management, including integrated, linux based POS, but again, the way we integrate it, the POS doesn't even get to see the bank terminal information, it sends the total amount to the terminal and expects a confirmation or a rejection back from it, it doesn't operate the terminal, it is not even possible for the POS to know what is happening between the customer and the terminal. From my POV it is bad form to allow POS to know anything that the terminal does beyond final status of the transaction.

Re:Cheap architecture + short cuts = DOOM (1)

omnichad (1198475) | about 3 months ago | (#45943541)

I think the problem is that the card terminals the banks issue aren't that great from a UI standpoint, and big businesses want to design that hardware, too. Target actually has a great UI as far as button sizes and ease of use. They should rethink integrating them at that level, but it's much harder to make their own black box. I think they'll have to look into that now.

Re:Cheap architecture + short cuts = DOOM (3, Interesting)

Penguinisto (415985) | about 3 months ago | (#45942725)

Seriously? Unless they radically alter how these things are built and networked, all it would take is one disgruntled cashier (or one willing to accept a percent of the take) + one register that isn't quite visible from the cameras + one appropriately-loaded USB stick (or similar device).

Re:Cheap architecture + short cuts = DOOM (5, Insightful)

i.r.id10t (595143) | about 3 months ago | (#45942831)

I'm sure it all looked great, until this happened, then they get 200% more wise.

Experience is learning from mistakes you make

Wisdom is learning from the mistakes other people make

Re:Cheap architecture + short cuts = DOOM (2)

houstonbofh (602064) | about 3 months ago | (#45942845)

Not to mention that most of the popular POS systems run on XP, and still will for long after Microsoft has abandon it.

Re:Cheap architecture + short cuts = DOOM (2)

roc97007 (608802) | about 3 months ago | (#45942939)

Windows XP? If only. I haven't seen a Target POS machine reboot, but the ones I've seen in other stores display the Windows 98 splash screen.

Re:Cheap architecture + short cuts = DOOM (0)

TWiTfan (2887093) | about 3 months ago | (#45942991)

Yeah, but upgrading the system costs money, which cuts into executive bonuses. And the CEO was REALLY wanting that mansion in the Alps this year.

Re:Cheap architecture + short cuts = DOOM (0)

Anonymous Coward | about 3 months ago | (#45943043)

There's any number of ways their POS system could have been done securely

"Secure systems" don't exists, there's nothing, no hardware, no software that is 100% secure, at this point, people should be aware that, sooner or later, that anything they choose to trust WILL BE succesfully attacked by someone. You could build your systems aiming for the strongest security, but you'll never be 100% safe.
That being said, they probably didn't build their systems thinking on client's security, that's for sure.

Re:Cheap architecture + short cuts = DOOM (2)

MobyDisk (75490) | about 3 months ago | (#45943047)

There isn't much we can do until there is end-to-end encryption in the purchasing process. The POS device should never even know your pin or credit card number.

Yes. Inside job without a doubt. (5, Informative)

Anonymous Coward | about 3 months ago | (#45943197)

I worked on POS systems back in the late 90s - so, keep in mind my knowledge is not recent - no really, retailers move at a snails pace when it comes to technology.

First, this was an inside job. POS systems are too stupid to connect to the Internet.

Second, back in my day, the register was a very dumb PC (DOS with an extender and later moved to Windows - yeah, I know). Network security NEVER entered the picture because it is a closed system: POS->Store server->Local/Main office over leased lines or VPN on the internet. The servers were slow shit. All they need to do is record sales data.

In other words, IF the POS servers were in fact connected to the Internet so that crackers could get it, then someone really really really screwed up because there was absolutely no reasons to do so. Too slow.

And if these servers WERE connected to the Internet, all the crackers would see is unencrypted transaction data: CC #s, exp dates, amounts, what was bought, names, and all the other data collected by the POS computer. Yeah, wide open - because it was thought that no one outside the store would ever see it.

Retailing, in general, is a VERY competitive business with razor thin margins. Go to your finance website of choice and compare Walmart's,Target's,Sear's or whoever's operating margins with any other industry's company - Pharma is my favoriate comparison: try Bristol Meyers Sqibb (BMY). So, they take THE cheapest way out every time.

Re:Yes. Inside job without a doubt. (4, Insightful)

mythosaz (572040) | about 3 months ago | (#45943535)

It's much, much more likely that hackers penetrated the network by other means, and then, once inside the network, compromised the POS systems -- which could then report back to the intermediary system, which could report out (or be repeatedly accessed from outside).

It's unlikely that the POS systems themselves reached out to the internet. That would have been noticed far, far too easily.

Re:Cheap architecture + short cuts = DOOM (5, Interesting)

y86 (111726) | about 3 months ago | (#45943325)

I'm sure it all looked great, until this happened, then they get 200% more wise.

Seems everywhere I go these cheap systems are in place and the malware may already be chugging along for years without detection.

I worked for a MAJOR retailer that was involved with a credit card crisis. The only reason the registers didn't get raped was the fact they ran linux. The actual POS servers ran Windows 2000 so that is what got cracked. Management was working hard to get away from these solid state linux computers for the "cost savings" in administration of the Windows platform. I can tell you that a multipurpose platform is not appropriate for a specialized task.

Re:Cheap architecture + short cuts = DOOM (0)

Anonymous Coward | about 3 months ago | (#45943357)

I bet Target and these companies all use the same POS vendor.

Re: Cheap architecture + short cuts = DOOM (2, Interesting)

Anonymous Coward | about 3 months ago | (#45943573)

Nope. But they all offshored their IT to India.

it gets worse. (3, Interesting)

Anonymous Coward | about 3 months ago | (#45943533)

First, target has NOT wiped and re-installed. As such, there are Trojans waiting to come alive and look for other malware to install.
but it gets better. Everybody is missing the fact that all of the companies having this malware offshore their IT. What is happening is that Indians are paid $8-10k, and are then offered 100-200k to release the malware. Of course they do it. They are set up for life and do not hurt their peers.

this will continue as long as American companies are dumb enough to offshore.

Re:Cheap architecture + short cuts = DOOM (0)

Anonymous Coward | about 3 months ago | (#45943547)

Which explains why POS is "point of sale" as well as "piece of shit".

Somebody should be by soon (2, Insightful)

cold fjord (826450) | about 3 months ago | (#45942673)

Somebody should be by soon to defend the l33t crackers involved in this. Can't wait to read it....

"We did you a service, now you know." Of course they won't give up anything they managed to steal.

Brace yourself for new laws.

Re:Somebody should be by soon (0)

Anonymous Coward | about 3 months ago | (#45942839)

Brace yourself for new laws.

There is no need for new laws.

There IS, however, a need to pay with cash, at Target and any other
store which uses poor security procedures.

Re:Somebody should be by soon (1)

Anonymous Coward | about 3 months ago | (#45943015)

There IS, however, a need to pay with cash, at Target and any other store which uses poor security procedures.

They don't advertise their poor security practices. Should we just ask the cashier?

Re:Somebody should be by soon (0)

Anonymous Coward | about 3 months ago | (#45943065)

Brace yourself for new laws.

There is no need for new laws.

There IS, however, a need to pay with cash, at Target and any other store which uses poor security procedures.

Don't know how this is in the US, but where I live the credit card companies would cover all fraud. As long as you use credit card and not debit card you are good.

Re:Somebody should be by soon (0)

Anonymous Coward | about 3 months ago | (#45943295)

In the US, both credit and debit transactions are protected from fraud, although the customer is in theory responsible for the first $50. The last two times I had a debit cart stolen, my credit union waved that $50 thing; your mileage may vary.

Re: Somebody should be by soon (1)

Anonymous Coward | about 3 months ago | (#45943549)

Debit cards and Credit cards have vastly different protections.

Credit card fraud.? Ok we will reverse the transactions and canel and reissue you another card.

Debit card fraud? Here fill out this form and in 6-9 weeks after we investigate maybe we will refund your money back into your bank account (hint your account is already zeroed, hope no bills are due in the next month)... Oh and you will probably want to close out your existing account and open a new one.

Debit cards should only be used for one thing, getting cash out of an ATM. Even that they are dangerous to carry around with you, kind of like carrying your bank balance around in cash on you.

Re:Somebody should be by soon (0)

Anonymous Coward | about 3 months ago | (#45943381)

> There is no need for new laws.

when has that ever been an impediment to the creation of new laws in the past?

Re:Somebody should be by soon (0)

Anonymous Coward | about 3 months ago | (#45943263)

No, the hackers here got some actual money out of it, so they're not going to blab on twitter about how they totes did it for the lulz.

CASH (0)

Anonymous Coward | about 3 months ago | (#45942677)

It's the only answer to limit exposure to mass fraud.

Re:CASH (2, Interesting)

Anonymous Coward | about 3 months ago | (#45942857)

It's the only answer to limit exposure to mass fraud.

Yeah, because there were no fraud before electronic transactions.. Last report I saw (admittedly around a year ago), old style "manual" money fraud (counterfeit, impersonating, etc.) was still estimated to exceed electronic fraud by order of magnitude.

Re:CASH (0)

Anonymous Coward | about 3 months ago | (#45943581)

Sure. However, if you use cash, the thieves a) will never, ever be able to draw against your debit and credit cards because a vulnerability at the retail level, b) won't have access to any meaningful quantity of your personal information. The same cannot be said of credit and debit.

Indeed, as a cash customer of a hacked retailer, the very worst the criminals can do to you is to get is anonymous aggregate information, or perhaps your purchasing history if you use a club card or something along those lines. In other words, not terribly valuable stuff, other than to a retailer.

The liability on old style money fraud is largely borne on the seller, not on individual customers. You could argue the buyer ultimately pays, but it's an infinitesimal amount compared to the damage one impersonator can do to you on a personal level, once they have all of your info. And consider this a bonus: with cash, you can't spend money you don't have in your hand right then and there, which forces you to either plan ahead, or to save up. That's a great way to not get into the credit card debt treadmill.

POS (0)

Anonymous Coward | about 3 months ago | (#45942709)

Those piece of shit registers..

What they bought with said data.. (0)

Anonymous Coward | about 3 months ago | (#45942757)

..an amazon prime subscription here. What have you [unlucky ones] had to phone the fraud department about?

Re:What they bought with said data.. (1)

i.r.id10t (595143) | about 3 months ago | (#45942897)

Nothing - they called us (Visa branded gas card). Sent a new card automatically, called ot let us know why our current card wasn't good any more, the fact that someone tried to run a $1500 purchase on it an hour ago, and that a new card was in the mail.

Kinda impressive as far as customer service goes in my opinion.

Re:What they bought with said data.. (0)

Anonymous Coward | about 3 months ago | (#45942927)

..an amazon prime subscription here. What have you [unlucky ones] had to phone the fraud department about?

Damn that's seriously stupid thief. You buy actual goods and gift cards with stolen credit cards.. Or better, you sell the data to some stupid people.

Re:What they bought with said data.. (0)

Anonymous Coward | about 3 months ago | (#45943275)

Hmm what I wrote can be read different ways, I phoned in a fraud case just last night over an amazon subscription charge. Better? I was curious if anyone else got stuck with something and what it was.

Re:What they bought with said data.. (1)

hawguy (1600213) | about 3 months ago | (#45943519)

..an amazon prime subscription here. What have you [unlucky ones] had to phone the fraud department about?

Damn that's seriously stupid thief. You buy actual goods and gift cards with stolen credit cards.. Or better, you sell the data to some stupid people.

Why not buy an amazon prime subscription if it saves him money? The card thief likely wants to ship as many packages as possible as quickly as possible to whoever is fencing or forwarding the goods for him, so an Amazon Prime membership might make sense to get the $3.99 one-day shipping.

Cash only economy (0)

Anonymous Coward | about 3 months ago | (#45942783)

Once enough of these flaws of electronic currency exchange are exposed, people will begin the slow march back to a cash only economy. Spectacular displays of insecurity will serve to highlight just how insecure the current system is, with low bidder technology and programmers who simply do not understand security. The cancer will eat the current systems from within and large domination bills and precious metals will become the law of the land. Currently, I keep at least $1000 dollars in cash with me at all times.

Re:Cash only economy (1)

houstonbofh (602064) | about 3 months ago | (#45942875)

Currently, I keep at least $1000 dollars in cash with me at all times.

Where do you live? ;)
However, no one yet has a method for taking cash over the phone or internet. It could end up being cash and Bitcoin, or cash and something else, but cash does not solve all problems.

Re:Cash only economy (1)

JeffAtl (1737988) | about 3 months ago | (#45943409)

Better not let cops know that you carry that much cash with you or it will get seized.

Re:Cash only economy (3, Interesting)

mythosaz (572040) | about 3 months ago | (#45943607)

...then they better start patting down everyone entering or exiting casinos.

As a degenerate gambler and poker player (two different things), I've regularly got plenty of cash on me, and it's never, ever, been a problem. Thousands of people show up to the WSOP every year and pay for buy-ins in cash. Every poker forum gets the same question asked to it ever year before the WSOP, "How do I bring 10-20k in cash with me to the WSOP?" ...and the same answer gets given every year. If you don't want to just wire your entry fee to the tournament cage (or your bankroll to a casino host), or you plan on just playing cash games, call your bank, tell them you're going to withdraw a bunch of cash - so they can have a bunch on hand - then take it with you to the event. If someone says, "Hey's what's all this cash," you say, "I'm a poker player." Works for thousands of us every time.

Of course, I don't wander crack alleys with it, so, YMMV.

Re:Cash only economy (0)

Anonymous Coward | about 3 months ago | (#45942969)

It's a delicate balance; you fear corporations (by their tracking and by their poor security) so you carry lots of cash more than you fear getting mugged. Until you get mugged. Put extra cash in a safe at home (or use ATMs more often) and only walk around with the most you could spend in one day. Refill when you put your wallet in your pocket/purse. Going to the store for a bigger purchase? Put more money in your wallet. Keep extra cash in a money pouch in your sock or in a money belt for impulse buys. This actually helps you spend less, too.

Re:Cash only economy (2)

jythie (914043) | about 3 months ago | (#45943149)

And that is why it is unlikely there will be some big (or slow) revolution to go cash based. All the methods of handling your money have advantages, disadvantages, emotional attachments, and probabilities associated with them, with each person or demographic group weighing them differently.

Re:Cash only economy (1)

omnichad (1198475) | about 3 months ago | (#45943683)

Right. With credit cards, you're basically getting free insurance paid for by people who keep loads of interest-bearing debt.

Re:Cash only economy (1)

Anonymous Coward | about 3 months ago | (#45943033)

Mmm...Will you be walking down any dark alleys in the near future? I'd love to discuss your methods in person, you see...

Re:Cash only economy (4, Insightful)

alen (225700) | about 3 months ago | (#45943217)

let's see
in the 80's when soldiers would get paid in cash or real paper checks they would get robbed outside the army base gates on their way to the bank. direct deposit solved that issue

used to be that people kept cash at home. but if your home burns down or you are robbed or whatever, you lose all your money. with CC's you dispute charges and don't lose a dime

Re:Cash only economy (2)

mlts (1038732) | about 3 months ago | (#45943491)

The people who have been pushing gold and silver on us for a while have said the same thing. However, there are a few problems with that:

1: If someone even got an inkling that someone was carrying a large amount of cash for a purchase, they likely would be mugged. Someone nearby seeing someone at McDonalds having a large wad in their wallet might make them a prime target. The reason why muggings are down is because it is a lot harder to make any useful money from a pile of credit cards. It can be done, but it is easily traced.

2: Fundamentally, our currency exchange system is working. It just needs a cryptographic overhaul, work with tokenization, and separation of duties. That way, it would require attacking individual registers physically instead of pushing code from remote, and even then, the "black box" that one inputs a PIN from would be isolated, so one might get a hashed, encrypted value, and that's it.

3: Physical cash is slower. I can make a purchase online in seconds. To do the same thing in paper bills would take days to weeks.

Inside job? (5, Interesting)

BringsApples (3418089) | about 3 months ago | (#45942799)

All quotes from TFA:

"Smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target," Reuters reported, citing sources familiar with the attacks. "Those breaches have yet to come to light...

What the hell, why not? I had to cancel one of my family debit cards because of Target, do I now have to cancel my other one from an unnamed store?

After gaining access to a merchant’s network, attackers can install memory-parsing malware on register systems or backend processing servers to extract magnetic-stripe data as it moves through the through the payment process.

How are they gaining access to Target's network? Maybe it's from the ever-famous wireless network that's in all Target stores, and is prone to attacks, based purely on it's password policy (changes automatically once a month - or doesn't at all - I hear)

“The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,” Visa explained in a security advisory.

Again, how did they not only get into the system, but how'd they know the executable binary that was running? I mean, this isn't something that was done in one day, it had to be a collective goal for more than one person.

Visa first warned about these types of attacks targeting grocery merchants, but said merchant segment is vulnerable. According to Visa, these types memory parser malware attacks have been found only targeting Windows-based operating systems.

This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.

In March 2013, new malware was found targeting point-of-sale (POS) systems and ATMs and was behind the theft of payment card information from several US banks. Called "Dump Memory Grabber", the malware scans the memory of point-of-sale systems and ATMs looking for credit card data.

And how the shit does one gain access to an ATM's RAM?

All in all, I feel that this must have been an inside job of some kind. Not just a Target employee, but a Target employee(s) and someone who has access to ATMs inner-workings.

Re:Inside job? (5, Insightful)

houstonbofh (602064) | about 3 months ago | (#45942943)

This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.

GEtting PCI compliance certification is not cheap, and you need it if you want integrated payment. So far, not a lot of open source POS systems are lining up to pay for certification...

Re:Inside job? (0)

Anonymous Coward | about 3 months ago | (#45943577)

I'd like to add that this is not always the fault of Windows. Smart people who know what they are doing can provide a secure Windows NT solution. Wannabe administrators make insecure systems period, end of story. They use Windows for a variety of reasons but the bottom line is this: If they had to use Linux then they would go Ubuntu, KDE, or whatever holds their hand through the muck. They would build an insecure Linux network and still get compromised.

Re:Inside job? (1)

rmstar (114746) | about 3 months ago | (#45943603)

GEtting PCI compliance certification is not cheap, and you need it if you want integrated payment. So far, not a lot of open source POS systems are lining up to pay for certification...

Oh I get it. You run a POS software on a POS operating system on a POS hardware? And that's why the system stinks!!

Re:Inside job? (1)

tgd (2822) | about 3 months ago | (#45943697)

This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.

GEtting PCI compliance certification is not cheap, and you need it if you want integrated payment. So far, not a lot of open source POS systems are lining up to pay for certification...

Once you've crossed the "root" security boundary, its just as easy to access the raw memory in Linux as it is in Windows.

And its not hard to elevate to those rights on either platform. Vulnerabilities exist on everything.

Re:Inside job? (0)

Anonymous Coward | about 3 months ago | (#45943717)

This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.

GEtting PCI compliance certification is not cheap, and you need it if you want integrated payment. So far, not a lot of open source POS systems are lining up to pay for certification...

Well (I know many Slashdotters won't like what I'm about to say) there is, or was, SCO. It's not open-source, but it _is_ an open platform, and it's quite a bit more resistant to malware and viruses, if configured half-ass decently.

Re:Inside job? (0)

Anonymous Coward | about 3 months ago | (#45942955)

Well, there are a lot of underemployed individuals. Maybe some disgruntled tech workers that were let go and got hired on at Target decided to go for it. Likely easier then we realize, especially for someone who knows about atm and pos systems.

Re:Inside job? (1)

Anonymous Coward | about 3 months ago | (#45942963)

Never, ever, use a debit card for anything. Use a credit card and pay it off. Stolen credit cards can cause you headaches, stolen debit cards can ruin your life.

Re:Inside job? (0)

Anonymous Coward | about 3 months ago | (#45943159)

Actually, I'd reverse this a bit and carry a prepaid credit card that you can easily refill. That way if your "credit" card gets snatched, your risk is only what you currently have in the account. You can do the same thing by keeping a small checking account with a debit card and limit your account balance to what you can afford to loose. Then if the card is stolen, call the bank right after transferring your full balance out.

Your point is well taken though. A debit card connected directly to your checking account is a huge risk, especially if it is your main way to pay bills and has links to your savings. NEVER link your checking account to your savings where the bank can automatically transfer funds. A debit card is also usually a key to getting access online to your account.

Re:Inside job? (1)

BringsApples (3418089) | about 3 months ago | (#45943597)

You have a very good point. However, the bank where I do banking seems to be very good about returning funds if I tell them about fraudulent charges. I just have to fill out a form. They get with the place where whatever product(s) was purchased, and they work out some agreement. 9 times out of 10, the 'store' can tell that the purchaser was not who they claimed to be, but it has to be brought to their attention.

Re:Inside job? (1)

EMG at MU (1194965) | about 3 months ago | (#45943097)

Visa first warned about these types of attacks targeting grocery merchants, but said merchant segment is vulnerable. According to Visa, these types memory parser malware attacks have been found only targeting Windows-based operating systems.

This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.

Um...everyone uses Windows on POS PCs. Usually a customized WinXP embedded install. Windows devs are cheap, and a lot of the POS app work is outsourced to places it seems are more comfortable with windows.

Retailers aren't tech companies. There is usually a small group of IT people who are part POS engineers, part vendor management. Most retailers rely on vendors or other companies to provide them with complete systems and support/installation services.

Re:Inside job? (2)

Reibisch (1261448) | about 3 months ago | (#45943373)

This one is my favorite. Why any retailer is running Windows on a POS PC is beyond anyone that knows how computers work. It should be illegal.

So you're saying that you're a security by obscurity advocate then.

Not running on an embedded Windows installation might seem like a safe bet, but as TFA mentions, this vector had to do with processing the payments in the clear -- simply running another OS doesn't necessarily give you that for free.

Re:Inside job? (1)

omnichad (1198475) | about 3 months ago | (#45943721)

but how'd they know the executable binary that was running?

It was scanning the RAM. They didn't need to know what binary. They were likely just looking for credit card data using the luhn algorithm against ALL of the RAM for any string of 15 or 16 digits. With a hit, they can widen the net and grab all of track 1 and track 2 data. RAM is very fast.

To gain access to the RAM, you only need a privilege escalation exploit.

Testing Methodology vs Cost Effectiveness. (1)

pillageplunder (183475) | about 3 months ago | (#45942811)

For Retailers and Credit card providers both, it appears their ability to understand the validity of robust security testing and practices revolves around cost. Not having to pay any perceived penalty due to a data breach means these corporate types can assign a relatively low risk to data breaches. Low risk usually means low test efforts as well. And this is what we as consumers appear to be satisfied with. I'm more of the opinion that if you have a data breach, it should cost you as a company X dollars per person affected...and start X somewhere above 5 figures. Each person would get that payout. How serious then would corporations take data security?

Re: Testing Methodology vs Cost Effectiveness. (0)

Anonymous Coward | about 3 months ago | (#45943669)

Actually they are on the hook for all losses by consumers and can be fined $10,000 per lost consumer piece of data (no whether or not its enforced it a different thing).

It's not a small fine they are looking at.

3rd world countries (-1)

Anonymous Coward | about 3 months ago | (#45942819)

Which third world country were these motherfuckers from?? I'm assuming the attackers were from India or China.. maybe N Korea ?

Re: 3rd world countries (0)

Anonymous Coward | about 3 months ago | (#45942923)

The US of A I expect

Re: 3rd world countries (0)

Anonymous Coward | about 3 months ago | (#45943057)

haha! That never happens... if it does then it's done by individuals or groups you immigrated here from 3rd world countries.

Which online retailer paid for the hack? (0)

Anonymous Coward | about 3 months ago | (#45942843)

Just wondering.

Re:Which online retailer paid for the hack? (1)

hcs_$reboot (1536101) | about 3 months ago | (#45943091)

They should put the RIAA and all their huge means on this. That's a more interesting challenge compared to their regular cd copier.

Target Confirms Point-of-Sale Malware Was Used In (1)

danielpauldavis (1142767) | about 3 months ago | (#45942873)

Only shop at $0.99 stores because even thieves know those customers haven't any money to steal.

Well, then. (2)

roc97007 (608802) | about 3 months ago | (#45942903)

> [...] that malware was used in attacks that compromised the company's point of sale registers.

See?? There is still a market for Windows 98 programmers!

PCI DSS? (1)

EMG at MU (1194965) | about 3 months ago | (#45942905)

PCI-DSS was created to hold merchants to some kind of security standards. There are huge fines if your payment processing system isn't compliant.

Details aren't really that clear, but do we know if Target was in violation of the requirements? Or is this a case of PCI-DSS compliance not guaranteeing security? From what I remember of PCI-DSS, it was a good start but not comprehensive. It seemed more focused on preventing someone from swapping out a legitimate credit card processing device with a compromised one, preventing snooping on the local network, and avoiding having normal unsecured POS devices do credit processing. This attack was at Target's corporate processing core it seems so I don't even know if PCI-DSS applies.

Re:PCI DSS? (1)

operagost (62405) | about 3 months ago | (#45943427)

I assure you that PCI DSS is quite comprehensive. Any system in a LAN that touches cardholder data is normally in scope. Any system that stores cardholder data is especially restricted and monitored.

They were not in PCI-DSS compliance. (0)

Anonymous Coward | about 3 months ago | (#45942917)

The Card Readers they used should have been encrypted making all sensitive data only decipherable to the processor. There would have been no data "in the clear" even if they were RAM Scraping.

Re:They were not in PCI-DSS compliance. (2)

MobyDisk (75490) | about 3 months ago | (#45943115)

The Card Readers they used should have been encrypted making all sensitive data only decipherable to the processor.

It sounds like it was encrypted, and the malware was on the processor.

There would have been no data "in the clear" even if they were RAM Scraping.

The article claimed it had to be decrypted in memory in order to process it. I think this is a fundamental limitation of the credit system.

Re:They were not in PCI-DSS compliance. (0)

Anonymous Coward | about 3 months ago | (#45943433)

See this: Computing Arbitrary Functions of Encrypted Data

http://crypto.stanford.edu/craig/easy-fhe.pdf

Quick fix for the POS POS machines ... (1)

bizitch (546406) | about 3 months ago | (#45943201)

Assuming these POS POS machines suck when it comes to security ... why not

- Install them on their own VLAN in stores
- Deny the VLAN internet access

Simple n'est–ce pas?

Re:Quick fix for the POS POS machines ... (2)

paulzeye (736282) | about 3 months ago | (#45943361)

Needs to be a little more complex. Any easy way around your measure would be to have a compromised jump box somewhere else on Target's network. POS machines send data to jump box, jump box uploads it to internet. Access to the POS VLAN needs to be tightly controlled- but then you need to pull logs of some of them, put patches and updates on them, authenticate users, after a while your VLAN has lots of holes in it.

Surely they mean "*outgoing* CEO"...? (2)

jeffb (2.718) (1189693) | about 3 months ago | (#45943237)

I must be having some rendering issue in my browser. No matter how many articles I read mentioning "Target Chairman and CEO Gregg Steinhafel", I can never make out the word "outgoing" in front of the title. Not even "embattled". It must be a browser problem. I can imagine some weird bug that would cause such words to be rendered as hidden text; I can't imagine a world where a CEO would emerge unscathed from a screw-up of this magnitude. Right?

Re:Surely they mean "*outgoing* CEO"...? (1)

game kid (805301) | about 3 months ago | (#45943397)

Don't worry, Steinhafel is already making speeches about his victimization and firing scapegoa^W^W^W^W^W^W^W^WShowing Leadership and Getting To The Bottom Of This.

You know, like that Christie guy [nbcnews.com] .

Got email from Target offering free credit monitor (5, Interesting)

m00sh (2538182) | about 3 months ago | (#45943369)

I got an e-mail from Target offering me free credit monitoring.

Yeah, they leaked my name, address, credit card number etc and now they want me to sign up for credit monitoring with them. Just input your social security number and answer a few questions ...

We have been hearing about how Target figures out if you're pregnant before your family does. They have been doing all sorts of data mining on people.

I suspect what is leaked is just not the name, address and credit card info on their subscribers. What if they have a profile on each of their customers that is also leaked? What if they compiled all sorts of data about their customers from various sources, like relationships, employment field, estimated incomes and other bits of info from the credit history? What if all that was leaked?

Re:Got email from Target offering free credit moni (2)

Rob the Bold (788862) | about 3 months ago | (#45943705)

I got an e-mail from Target offering me free credit monitoring.

Yeah, they leaked my name, address, credit card number etc and now they want me to sign up for credit monitoring with them. Just input your social security number and answer a few questions ...

Surely, they aren't offering to sign you up with their roll-your-own credit-monitoring system, right? (Because I wouldn't go for that either.) Last time I had a credit card possibly compromised, the retailer at fault gave me a free one year subscription to Equifax's credit monitoring service. I got a coupon code from the retailer, but all the interaction was with the credit bureau.

(For the sake of closure on that anecdote, nothing weird happened over the following year.)

Why not thin clients using PCoIP or RDP? (2)

kriston (7886) | about 3 months ago | (#45943423)

Why are they not using thin clients like VMware, Citrix, with PCoIP? I recently visited a Bob's furniture store and all their POS terminals were thin clients using either RDP, Citrix, or bus virtualization protocols like PCoIP. Same with the terminals at all the centers at another firm.

With the current generation thin clients, particularly the nifty PCoIP ones, local performance is very attainable even though it isn't really needed for POS terminals. VMware has offered PCoIP since 2008 and Amazon has just released their implementation.

I think Target deserves what they got for having POS terminals that are allowed to be locally modified in any way.

Re:Why not thin clients using PCoIP or RDP? (1, Interesting)

Charliemopps (1157495) | about 3 months ago | (#45943627)

I'm curious, if you find security so important, why the hell do you have a link in your sig that directs people to pictures of your entire family? As much as I'm sure we're all thrilled to see your daughters piano recital I can't imagine I'd ever put pics of my kids on the net like that. I guess that's up to you but the slashdot crowd is not who I'd want having every intimate detail of my home life. I'm pretty sure your link would let me steal your identity a lot quicker than any data they got from target.

girlintraining? (0)

Anonymous Coward | about 3 months ago | (#45943605)

Where is girlintraining when you need her? I came here after her previous commentary on having worked at Target, to see if any of this matches her experience. I wanted an insider's take. Uh, oh. Was she "disappeared" after commenting?

Target Hasn't Confirmed Shit (0)

Anonymous Coward | about 3 months ago | (#45943709)

This is the third, of what is likely to be dozens, of incestuously self referencing blog posts and "news" articles all reverberating the same assumptions, supposition, and lack of factual detail.

They got the credit card data from the point of sale(PoS), where the data is entered. Duh, we knew that. It was malware. We pretty much knew that too, it sorta goes without saying. But, they still haven't actually said what the malware was or did exactly. Though fluffy the reports do pontificate cluelessly about "RAM scrapers" which Visa already warned about. Except that Visa's warnings were for Windows systems and Target uses Linux PoS systems. So, again, we don't really know shit.

So, despite this article's claims of confirmation, here's what we still don't know:

1. How the malware got in or was installed.
2. When the breach first occurred.
3. The specific nature of the malware and which specific system it targeted.
4. The full extent of what was taken.
5. Who did it.

What else have I missed?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...