back to article When ZOMBIES go shopping: 40m Target customer breach? That's NOTHING!

Malware linked to fraud in the retail sector may be a bigger problem than even the recent revelation about the compromise of systems US retailer Target suggests. Shopping giant Target and luxury retailer Neiman Marcus both announced significant data breaches during the 2013 holiday shopping season. The Target breach at least …

COMMENTS

This topic is closed for new posts.
  1. Marvin O'Gravel Balloon Face

    ... and that's why I stick to the folding stuff.

  2. pacman7de
    Facepalm

    Security through oblivion?

    How is it possible for hackers to compromise these systems and nobody notices until the cards start appearing on the market?

    1. Anonymous Coward
      Anonymous Coward

      Re: Security through oblivion?

      Because anyone who brings up security issues inside a non-technical business is at best branded a "troublemaker", and quite likely to be fired for "hacking" the systems.

      1. Irongut

        Re: Security through oblivion?

        Hell even in a technical business and as an IT person I know that my bosses think I'm some kind of paranoid survivalist whackjob because I point out our many security failures. No one listens because they think it will never happen to them. I look forward to the day it does.

      2. BillG
        Flame

        Re: Security through oblivion?

        Because anyone who brings up security issues inside a non-technical business is at best branded a "troublemaker", and quite likely to be fired for "hacking" the systems.

        Totally, completely, 100% correct. Plus, the IT guy that uncovers the security hole will only be able to talk to, at best, two levels of management above him. And those managers want to stay silent out of fear that they will be blamed by top management for the flaw.

        IT Guy: "We have a huge security hole"

        Manager: "Have we been hacked? No? Then shut the f**k up"

        Fast-forward a year later and they are hacked by the same flaw. IT Guy is asked to submit a WRITTEN analysis of the flaw (he will not be allowed in face-to-face meetings) that will only be seen by his two levels of management, who will take credit for "discovering" the flaw. "We need you to cooperate and only work on the fix, don't tell anyone else" he's told. "We will reward you later", they lie.

  3. Anonymous Coward
    Anonymous Coward

    How many???

    40 MEELLION? Now that, is incredibly hard to believe. Bit of misinformation to sway advertisers?

    Unless that includes details from people in other countries, I can't imagine that's even possible.

    1. Anonymous Coward
      Anonymous Coward

      Re: How many???

      Why? Thousands of stores, each doing thousands of transactions a day + online transactions. Not hard to get that figure.

    2. Pascal Monett Silver badge

      Re: 40 MEELLION? Now that, is incredibly hard to believe

      No it isn't. Every family unit needs to shop for food at least once a week. The latest census states that US population has hit 315 million.

      Even if only one in ten of those 315 million people go shoppping, that's 31.5 million cards right there.

      Now, if what you're saying is that you find hard to believe that 40 million high-rate cards were lifted, I tend to agree with you. But 40 million bank details ? That's easy to believe.

      What I find difficult to believe is that they didn't get more.

    3. BillG

      Re: How many???

      40 MEELLION? Now that, is incredibly hard to believe.

      Do you always use the same credit card at the same store? People use one, two, or three cards. This could be 15 million individuals using 40 million credit cards.

    4. Tom 13

      Re: How many???

      Not misinformation per se and certainly not for the advertisers.

      If it is overstated, it is only as is necessary to protect them legally. Let's say you think the bad guys only got 70% of the terminals in a store. Do you report only the 70%, or the whole store? If you report only 70% and it turns out they got 72%, you're really are on the hook for disseminating misinformation.

      And other posters are correct, most people here use multiple credit cards. Right now I have two debit cards, and three credit cards that I can think of in my wallet. Theoretically I have another two at home on accounts I'm working to pay off because I misused them in the past. The accounts are in good standing, but I don't actively use them.

  4. frank ly

    Have I got this right?

    Why do Target (and others, I assume) have to store the card details on their system at all. I thought that the CC transaction was authorised by the CC issuer company, via the POS link, and then given a unique ID that pointed to a record in the CC company servers. After that, the retailer has no need to keep a record of the customer CC number, just the authority ID in case of future queries/refunds/etc.

    1. phil dude

      Re: Have I got this right?

      in the same vein, is there a reason we even need a number that can be copied?

      Surely a system where you enter the pin on YOUR card to give a code for them is possible? Not unlike those things banks use, but a nice one...

      It would certainly make store theft harder, though I would not advocate it for ATMs as it makes you a target...

      P.

      1. Tom 13

        Re: Have I got this right?

        If the POS terminal at the register was hacked, you're hosed no matter what. Card details and PIN, the bad guy has them.

        1. Mark 65

          Re: Have I got this right?

          "If the POS terminal at the register was hacked, you're hosed no matter what. Card details and PIN, the bad guy has them."

          Which is why, in most other countries, the card hardware is separate from the POS terminal and is a closed system. It gets passed the amount and passes back information on verification. If the POS terminal is hosed then who cares?

    2. Irongut

      Re: Have I got this right?

      You're missing two important points - the Point Of Sale terminals were hacked so the attackers could get card details whether Target stored them or not and this is the USA, they don't have chip & PIN.

      1. Reallydo Wannaknow

        Re: Have I got this right?

        umm ... "Chip and PIN wouldn't have been enough to stop fraud in the Target case, according to a blog post by security vendor Easy Solutions."

    3. Tom 13

      Re: Have I got this right?

      I don't think the malware was attacking the data storage. Remember, the reports say they also got people's PINs (needed for debit cards). Retailers might store CC info for the transaction in case the buyer disputes the purchase*, but they'd never have call to store the PIN.

      *If the buyer disputes you need to be able to find a signed copy of their receipt or the CC company sides with the buyer. That means you'll want the CC number (probably by last 4 digits), the day of the sale, and the register where the transaction was recorded. Then you find the cashier and the right storage box to pull the receipt. Electronic records aren't usually enough. Online transactions will of course differ.

    4. Anonymous Coward
      Anonymous Coward

      Re: Have I got this right?

      Depends on how old the back-end system is to determine if they store the data or not. That aside, the problem was that malware was installed that monitored the data as it went through the system and recorded it, not a simple break in and data steal.

    5. MarkSitkowski

      Re: Have I got this right?

      The short answer is - they don't. Why would you need to tell the CC company your card details? They already know them. What they actually need to do, is to prove you are you. If they installed a system to do that, there would be no records worth stealing on the retailer's systems.

      Too easy, man..

      1. Anonymous Coward
        Anonymous Coward

        Re: Have I got this right?

        No you haven't.

        As I have done PED replacement programs for some of the largest retailers, I actually know how POS systems work.

        The PED reader will send to the TILL (which is a basically a PC) any information asked of it.

        So if the POS terminal is "hosed " it will have your details, inc Card number. In most systems it it the POS software that them encrypts the transfer of information back to the Payment system.

        In most major retailers the PED/POS do not talk directly to the credit card system. They talk to a payment gateway in the retailers environment.

        The basic flow is PED reads card, sends info to POS, POS creates charge record which contains card number, details and amount, POS sends info to payment gateway, payment gateway sends to correct bank (acquirer). ( there can be one acquier for all cards (visa, amex, mastercard) or multiple acquiers if you get better inchange rates).

        Obviously there are lots of other stages such as authorisation, anti fraud, etc but that is the basic flow.

        The only true solution is if the PED device encrypts the card details on itself and only the encrypted information is seen by the POS. Very few systems do this. I only know of one major highstreet retailer in the UK that does this (because I architected the solution) and speaking to the PED providers and payment software suppliers they know of few that do this.

  5. steve 124

    all ex CCCP countries... hmmm

    Has no one noticed that the majority of these attacks are coming from Russia or old Soviet block countries? (of course, China too but at least they are government sponsored so they aren't looking to run up CC bills).

    I think it's time we, as a planet, agree that if you can't play nice you can't be part of our interwebs. I added all the old Soviet country subnets to my firewall block list (at home and work) several years ago and my life is better because of it. I urge everyone to do the same. Just block everything from those criminal countries and we can just pretend they don't exist!

    I can think of a few African countries that need to be included too (yes I'm looking at you Nigeria).

    BTW, there is no sarcasm in this post, I really do this and I really believe this. Follow me into a brighter internet experience, block class A subnets. You'll feel better. :)

    1. Anonymous Coward
      Pint

      Re: all ex CCCP countries... hmmm

      Wouldn't do anything for proxies methinks but worth thinking about.

  6. Anonymous Coward
    Anonymous Coward

    I work for a major retailer.

    I'm not saying where, I like my job.

    Our entire system, nationwide, runs on Windows XP. 32bit. I. Kid. You. Not. Even the POS, which makes for an amusing acronym.

    There are NO plans for update either.

    It's only a matter of time...

    1. steve 124

      Re: I work for a major retailer.

      Wow man that's scary. Sure wish you'd let us know which one. Regardless, I'm planning on using only cash after May 1st at brick and mortar stores. We started migrating to w7 over 2 months ago and will probably just barely make the cut off date.

      BTW, jackofshadows, you're right and unfortunately it won't stop botnets controlled by those countries (and p2p traffic). But just imagine if it was implemented on an ISP level. That would amazing. Our security issues and spam would all but dry up. It's be easy to just put a loopback DNS entry for those subnets in the internet root DNS servers. A guy can dream can't he? :)

  7. Dropper

    Re: I work for a major retailer.

    "But just imagine if it was implemented on an ISP level."

    The movie and recording industries would probably be the place to start.. they seem to have more than their fair share of clout when it comes to deciding all things internet. Shouldn't be too hard of a sell either, after all these are countries where copyright, patents and intellectual property are considered (to paraphrase) guidelines rather than rules.

This topic is closed for new posts.

Other stories you might like