back to article Run for the tills! Malware infected Target registers, slurped 40m bank cards

Target today claimed malware infected its cash registers, which allowed crooks to siphon off copies of 40 million credit and debit cards. Chief executive Gregg Steinhafel said point-of-sale (POS) systems were compromised by a software nasty, which harvested sensitive banking information from customers' magstripes. The …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Malware or not, Target has a huge security issue. The registers and the back-end systems should not have Internet access. The malware was installed and the security measures there were flawed and then it was allowed to be installed on every POS system and then able to report "home" with the hijacked data.

    1. Anonymous Coward
      Anonymous Coward

      Who said the POS system has internet access?

      I'm willing to bet it doesn't. I'll bet social engineering was an important part of this attack.

      The attackers could have mailed a USB stick to Target stores all over the country with a fake return address showing Target corporate headquarters, telling them it needed to be loaded into the POS server for PCI compliance. It only takes one person to blindly follow that instruction to get the malware onto Target's intranet.

      Either that, or they use wireless somewhere and don't realize how easy it is to hack so-called "secure" wireless, and someone broke in from a parking lot.

      Clearly the POS systems was only a step in getting the malware to their main payment processing systems, otherwise people who ordered online wouldn't have had their information compromised.

      1. Wzrd1 Silver badge

        Re: Who said the POS system has internet access?

        "Either that, or they use wireless somewhere and don't realize how easy it is to hack so-called "secure" wireless, and someone broke in from a parking lot."

        Blather.

        Cracking into *one* store network or even a region's stores won't get you 40 million cards and customer PII.

        Not if the network was properly configured. There is no reason to permit cash registers from different stores and/or regions to be able to communicated with each other, they only need to communicated with their transaction server.

        1. Anonymous Coward
          Anonymous Coward

          Re: Who said the POS system has internet access?

          “Now that we have virtualized our POS application, we can build redundancy by replicating the application on both Hyper-V host servers".

          http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000009407

          1. Michael Wojcik Silver badge

            Re: Who said the POS system has internet access?

            http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000009407

            AC, please stop injecting facts into our speculations.

            The lack of votes on your post suggest none of the Usual Idiots arguing about this could be bothered to read the document. It's a 2011 case study of Target's in-store IT system. Two Win2008 DataCenter servers running Hyper-V. Endpoints, including POS terminals, managed with Microsoft Systems Center.

            So: POS software is managed by MSC, which is running on servers that very likely have Internet access. And those servers almost certainly can talk to their counterparts in other stores. Get malware on one, and it likely could spread by unpatched vulnerabilities across the network.

            1. Charles 9

              Re: Who said the POS system has internet access?

              So: POS software is managed by MSC, which is running on servers that very likely have Internet access. And those servers almost certainly can talk to their counterparts in other stores. Get malware on one, and it likely could spread by unpatched vulnerabilities across the network.

              Just because a system has MSC doesn't mean it's not exposed to the greater Internet. Many setups I've seen have both the POS devices and the servers with addresses in the 10.x.x.x range, which if you'll recall is an IP range reserved for private nets. So this would mean a corporate intranet at least one step removed from the greater Internet. How big that step is can depend and can have an influence on how much effort it would take an outsider to jump the gap and get into the intranet from the Internet.

              What you describe in terms of software IIRC appears pretty typical for an NCR setup. For many years NCR has used POS software based on some form of Windows: either XP or CE and Windows Server systems at the back end.

      2. Charles 9

        Re: Who said the POS system has internet access?

        Last I checked, Target POS systems don't have readily-accessible USB ports. Indeed, if it's like most POS systems I know, the software is loaded from the back office, which in turn gets it through a corporate intranet.

        Something this sophisticated on hardware that normally doesn't see the Internet points me to an inside job. It may not be with Target in this case but with the designer of the base POS software Target and other firms were using. IOW, we're talking insider hacking from pretty high up the chain.

        1. T. F. M. Reader

          Re: Who said the POS system has internet access?

          I am not an expert on POS systems. However, I assume that to operate they need to be connected to servers (to process credit card transactions, to record purchases, to update stock records, to access loyalty card databases, to update software, maybe even to boot, whatever). Those servers are probably connected to yet other systems, etc.

          Are Target networks to which POS systems are connected, directly or indirectly, air-gapped from the Internet? Is it even a requirement? Could it be that it is a requirement that they (the networks, not the POS themselves) *are* connected, for this or that business reason? I would not be surprised - Target is not CIA. If that is the case the rest is down to an exploitable vulnerability or two, plus a bit of misconfiguration combined with a moderate dose of overconfidence, I suppose.

      3. This post has been deleted by its author

      4. Tom 13

        Re: Who said the POS system has internet access?

        No, clearly the POS system was the primary target otherwise they wouldn't have all the Debit PINs. The online system was just collateral damage.

      5. BillG
        IT Angle

        Re: Who said the POS system has internet access?

        I've worked on the ARM chips that go into POS systems. After your credit card is run through the reader it is immediately encrypted, and all the cc data sent inside the store's network is encrypted. But malware installed between the card strip reader and the encryption algorithm could snag the numbers. The malware would have to be installed in the ARM's flash memory. Shockingly, yes, some POS terminals have direct access to the internet, I was told for firmware upgrades and diagnostics. The systems I know of have no USB ports or any other way of external access.

        IMO to grab 40 million credit card numbers, to happen in this scale, it had to have happened at the factory of the POS vendor. Given the limited number of people with access to the firmware, and after they examine the malware and find the IP address the numbers were sent to, I think there will be an arrest.

        What POS vendor does Target use again???

        1. Charles 9

          Re: Who said the POS system has internet access?

          "Shockingly, yes, some POS terminals have direct access to the internet, I was told for firmware upgrades and diagnostics."

          Savvy firms don't allow direct upgrades and instead test the upgrades, vet them, then roll them out at their schedule through the corporate intranet. Also consider some transctions were probably done with the POS's reader rather then the PIN Pad's. If they were sniffed as well, the exploit would need to be in the POS itself, as the PIN pad wouldn't have read that data.

          I'd have to pay a visit, but I think Target uses NCR brand POS systems (if not, then it's probably IBM). But the PIN pads come from a different comapny (I don't think it's Ingenico, but I suspect it's the same comapny that supplies Best Buy).

    2. Tom 13

      Re: back-end systems should not have Internet access.

      At least one back end system of necessity has internet access: the one that contacts the credit/debit card vendors to authorize the credit/debit transaction. The days when that was all done by modem are long gone. Yes you can double home that system so the POS registers aren't directly exposed to the internet, but I'm not sure how much that really buys you in the long run. Yes you only have one system to keep properly patched and secure instead of 15 or 30, but if you compromise that system chance are you still have access to all the POS systems through it.

      Now the scarier part here is that Target and Nieman Marcus are chains with relatively large IT budgets. So they may (not necessarily are) have more recent OS systems for the servers in a POS location. Think about all the fast food stores with POS systems on a shoestring budget.

      I have a friend who does that kind of support work for a small chain. They had been putting a single w2k server in a store and hooking up their POS terminals to it. Not sure what the underlying POS system was, hopefully proprietary but that's not a smart money bet these days. I think they may have finished upgrading to 2003/8 in December. Each one of them is a cookie cutter image of the first. Once you own one you own them all, it's just a matter of re-iterating your exploit on each subsystem. Oh, and odds are decent the registers start at 1 and count up, at each store.

      So even if you aren't Target or Nieman Marcus, if you have anything to do with retail POS systems, you should probably be crapping concrete block sized bricks right about now.

      1. Charles 9

        Re: back-end systems should not have Internet access.

        "At least one back end system of necessity has internet access: the one that contacts the credit/debit card vendors to authorize the credit/debit transaction."

        But that should be the ONLY link. Meaning you can treat it like a store-to-headquarters link. It need not be on a dedicated line, but if it's a well-defined connection, you can tightly restrict the connection with assistance from the data provider and the other end (limited access, VPN tunnels, encrypted connections, only accept outgoing initiation, etc.) to make it so that's the ONLY thing it can see.

        I suspect Target and Neiman Marcus were targeted specifically because they were big retailers (as in, large gross receipts due to (the former) lots of customers or (the latter) high-ticket customers). But as you say these firms are no hayseeds, and the POS software usually undergoes vetting and testing prior to a rollout (which does not occur often--they usually only change the POS systems when they HAVE TO due to security or internal procedural updates), which means the exploit had to survive that kind of testing. Plus if the code was signed, it would need to have been altered BEFORE signing.

        These along with the fact the data didn't appear to be detected en route leads me to believe the attack was very sophisticated: in fact so sophisticated as to preclude someone without intimate knowledge of the internal software and/or network. That's why I suspect an insider. I would need to know more about the respective POS systems, but for now, given that two different retailers were hit at the same time with the same MO, I hypothesize the exploit occurred at base POS code that would then be common to both retailers. So IOW, not an insider with the retailer but an insider with the POS manufacturer.

  2. Scoular

    If consumers punish them by buying elsewhere then something will be done.

    If consumers just accept what has happened then Target and the others involved in similar breaches will just get on with business as usual. If it costs someone else why would they bother with better security. That thinking is behind the lax US standards relating to credit cards.

    1. kain preacher

      No this is how you punish them. Target must pay off all Target cards. Any CC credit cars that were compromised Target must pay the full balance off. Regardless of were the purchase were made. In the event that the owner paid off the credit card target is responsible for all purchase 30 days of the breach or 30 days after the breach was announced. Which ever is longer. in the event that it was debit card Target must be pay all fraudulent charges. Target must refund the last 50 transaction on the debit card 30 days prior to the breach and the next 50 transaction 30 days after the breach.

  3. PunkTiger
    Pint

    I'm considering myself lucky

    During the time in question (late November through December 15th), I didn't visit a Target store or their website to buy anything.

    No point to this post, really, just counting my blessings.

    1. This post has been deleted by its author

    2. Velv

      Re: I'm considering myself lucky

      Are you being satirical or naive???

      It is only a matter of time before the next failing, and it could be your local shop and you. Our banks tend to be the most secure and history has shown they regularly get it wrong, so what chance of the lower orders got.

      Seriously, Retailers aren't interested in security, so they do the bare minimum to APPEAR to "protect" the customer and the business. But tills, payments systems, etc don't sit on separate secured networks so to compromise them is usually trivial.

      Anyone reading this thinking "we do it well" and "we do it safe" is in for a big fall (especially retailers). I've never come across a business yet that has implemented multi-layered security that is impregnable. I shop very carefully.

      1. Tom 13

        Re: I'm considering myself lucky

        Even if you are trying to do it well and safe, you're still on a budget.

        But I concur the number who try is probably smaller than the number who do the bare minimum required by law.

  4. Anonymous Coward
    Anonymous Coward

    Hit the Target

    I can imagine a Mom and Pop store getting scammed by this, but a multi-national?

    And for it to go on so long.

    I'll bet there will be some targeted redundancies soon.

    1. Wzrd1 Silver badge

      Re: Hit the Target

      I'm betting that a CIO position opens up quickly, probably some network manager positions as well.

    2. Sherrie Ludwig

      Re: Hit the Target

      I suspect the mom and pop shops are MORE careful with customer data because they really need every sale, and because the owners themselves will lose money for any problem transactions. Target, the shareholders will get a little jolt, then back to usual.

  5. Sanctimonious Prick

    Class Action

    Take 'em to the cleaners!

    Target are responsible for this massive breach!

  6. JCitizen
    Devil

    For this to happen this big and all at once smacks of international cyberwar. Iran anyone?

    1. Anonymous Coward 101

      Are you a US politician? Undeniably one good thing coming from the Snowden revelations has been the reduction in the use of the word 'cyberwar' by twats, generally in relation to China.

  7. Anonymous Coward
    Thumb Down

    Don't know means don't know...

    At this stage we simply do not know the PoS attack vector nor the characteristics of any communications used between the PoS terminals, in-store servers, nor from store to the 'net. I would suspect that a mirror shunt was used but that's only a suspicion. Brian Krebs didn't reveal a whole lot, so far. And that's before we even consider the other attacks and possible commonalities.

  8. Christian Berger

    Many barcode scanners allow arbitrary keypresses

    In fact that's a common freature. So unless you turn it off, you can exploit a cash register via barcodes.

    BTW many barcode scanners are configured via barcodes, so you can turn on that feature via barcode.

    1. Charles 9

      Re: Many barcode scanners allow arbitrary keypresses

      True, but most of them ALSO feature a specific procedure that requires scanning not one but a SERIES of barcodes to configure them the way you want. The Symbol scanner I own (which is similar to models seen in smaller stores) can be configured to refuse to scan certain types of barcodes so that you can limit exploit avenues.

      As for exploiting the POS, that depends on the system. Among the different things you can set the barcode readers to do is to emulate a serial port rather than a keyboard, meaning the POS can distinguish between them and be much less likely to be exploited through this method.

  9. Anonymous Coward
    Anonymous Coward

    This is how the NSA can fund 'black ops' and make it untraceable.

  10. Anonymous Coward
    Anonymous Coward

    Target are now offering free credit monitoring for one year, for all who shopped there. I signed up my entire family, as we all "shopped" there, regardless of the fact that I was the one whose card was read in the POS. (I am interpreting the word "shopped" using the same logic as the NSA interprets "collected").

    1. Anonymous Coward
      Anonymous Coward

      Useless

      Credit monitoring for a year is less than useless.

      It costs maybe $10 a month retail, so a small percentage of that when Target purchase it in bulk. And what does that get you? An email saying that false information has been posted to your credit agency account - after which you write to said agency, and they ignore you. Then all your credit card interest rates increase because of said bad information. So you write t all the agencies again in a sterner tone, and they ignore you again.

      Each time you have paid for recorded delivery x 3 (for the 3 equally shitty and incompetent agencies). After a year of writing to them monthly (they don't accept email or phone submissions), maybe if you are lucky 2 of the 3 will have removed the erroneous information. Then you contact the credit card companies who raised your rate based on the false info (now removed) and ask them to reduce the interest rate back to where it was before the fiasco (you have never missed a payment or been late with them). They decline because they are assholes.

      The credit and credit reporting system is fundamentally broken and corrupt in the USA - by design. Every step is created to overcharge consumers and cheat them where possible.

      After having gone through this after the TJX debacle, I am understandably bitter. Also the banks / merchants don't reimburse for the time and effort involved in changing direct debits, updating CC info on accounts, all this wasted effort to correct credit reporting data, etc. All of this responsibility needs to be pushed to Target, not to the innocent consumer

      1. Sherrie Ludwig

        Re: Useless

        OK, simple answer. Stop using credit cards. Keep a debit card attached to an account that you deposit ONLY the amount you intend to spend in a week or so, and REFUSE automatic overdraft protection. Limits your exposure, you can transfer in money as needed, if you are paranoid enough, keep it in a separate bank from your main accounts and do physical transfer of funds. Or, just pay cash.

        1. Anonymous Coward
          Anonymous Coward

          Re: Useless

          Then you get labeled as a terrorist or survivalist nut. Recall how the 9/11 perpetrators left no traces by using cash, and plenty of criminal elements exploit prepaid everything so as not to attach their names to anything.

          So you lose either way.

  11. Anonymous Coward
    Anonymous Coward

    Target and Network Matters

    Don't any of these companies use intrusion detection (e.g. SNORT or similar) to identify suspicious traffic? Unusual millions of pieces of data traversing would typically be a clue that something was going on.

  12. Anonymous Coward
    Anonymous Coward

    PoS says it all really.

    I thought POS was American slang, which happens to fully describe the systems involved!

    1. Sherrie Ludwig

      Re: PoS says it all really.

      It is. It does. USA still uses magnetic stripe cards.

      1. Curtis

        Re: PoS says it all really.

        The difference is that in the US, if there's a contested charge, the card/chargee has to prove it's legit. From what I understand with chip/pin, the fact that the purchaser had the pin proves that they were authorized and stolen/unauthorized claims are much harder to "prove"

  13. Anonymous Coward
    Anonymous Coward

    Every few months, you hear stories about this happening. It's TOO easy for hackers to get CC info. The best thing to do is to limit how often one uses their cards (any card) and use cash as much as possible. sucks going backwards but sooner or later.......

  14. Anonymous Coward
    Anonymous Coward

    Wow... lots of half baked stuff.

    Its been a long time since I've looked at Store Systems and Retail.

    Way back when, stores were connected back to the corporate office via satellite links because phone service was too slow. (Yes I am aging myself. ;-)

    Then in the mid 90's with the rise of the internet and the drop in cost of leased lines (56KB) you could connect all of your stores via land lines, but still be private. As the internet grew and costs dropped, you saw companies switch from leased lines to just connections to the internet. Today, everything is over the internet. (Store systems. corporate communications, video, and muzak (music) ) Its all point to point and encrypted.

    (Or should be.)

    Your PoS systems are less custom and more CoTS. This can mean a couple of things...

    1) You have usb ports exposed.

    2) you have internet access so someone could have gotten malware from surfing the web.

    3) stores also have their own wifi networks...

    4) while the wifi may or may not be encrypted, finding the wifi password could be fairly trivial from social networking or other techniques. (war driving)

    5) It could be an inside job

    So any and all of the vectors can show risk.

    Also its possible that once you get inside the firewall, you have a completely open network.

    So you could do something like a SQL injection, get access in a web based machine, then from there infect all of the PoS machines.

    The easiest thing though... would be to get a job as a holiday temp in a store, find out the information, pass it off to someone and then they do the hack. This way the information breach could have occurred in Store A, then the hackers compromised store B and let it spread. Or it could have been an inside job in their store systems group and the code that gets pushed to all of the PoS machines gets compromised once and then a delayed period goes off to hit them at the busiest time of the year.

    There are a lot of ways one can compromise a store system if you know what you're doing.

    The sad thing is that if you can infect a single PoS and then have it spread out... that's a major, major RED flag.

    1. Charles 9

      Re: Wow... lots of half baked stuff.

      "The sad thing is that if you can infect a single PoS and then have it spread out... that's a major, major RED flag."

      Because normally the POS units don't talk to each other. Instead, the POS images come from the back office, which in turn gets that from headquarters. To be able to infect EVERY Target POS in the country smacks of an alteration in the master image that goes to the store back offices and from there to the POS units. That implies a breach very high up the chain, perhaps even beyond Target's control (if Neiman Marcus was hit with the same breach). Furthermore, if the code was authenticated, it had to have been breached BEFORE authentication.

      1. Anonymous Coward
        Anonymous Coward

        @Charles9 Re: Wow... lots of half baked stuff.

        Bingo.

        Or you could have infected the servers that sit in a closet that aggregate the information from the PoS terminals and track the store's inventory...

        Again, its a question of infecting a store vs infecting the core image that gets pushed to the store.

        Since we don't know how it was done... we can only guess.

        I should also add that we don't know where the software was maintained. Did Target use offshore resources? Meaning could an employee in an Indian sweat shop do it, or was there a security breach in India and it went undetected and/or unreported?

        Lots of issues that should be addressed.

  15. MarkSitkowski

    What about the next time?

    The real worry is that other retailers, using the same POS terminals will be attacked next.

    Isn't it time to look for a solution, before this happens?

    For instance, why do you have to give your credit card details to the retailer, to pass to the credit card company? Obviously, so they can know who you are, and that it's really your card. Okay, then, why not use an authentication system based on your ID, instead? Then, the credit card need only contain your user ID, which they could check, and tie in with the card details, which they already know. That way, the retailer would have nothing worth stealing. Of course, the authentication system would need to be fraudproof, and I believe there's a description of such a system at www.designsim.com.au/What_is_SteelPlatez.ppsx.

    I guess the other benefit of doing something like this, is that the credit card companies wouldn't have the expense of changing to EMV cards, or resorting to something unpleasant, like biometrics.

    1. Charles 9

      Re: What about the next time?

      The retailer needs to know the credit card number in case a transaction is challenged. Otherwise, the credit card company has no way of tying the card to the transaction, and if the trust is moved to the payment processor, what if that's corrupted from the inside so as to alter records and make the retailer appear guilty. The retailer knowing the card number if a trust tradeoff. They need to be trusted with the number in order to answer challenges of that trust.

      As for authenticating based on an ID, consider that the American idea of a national ID system usually ends in two words: Big Brother. They don't trust the government with the kind of information available NOW and therefore don't want them to have any kind of unique identification specific to an individual across a country.

      (UPDATE: Found it in graphic form. URL: http://www.designsim.com.au/What_Is_Forticom.html) It sounds interesting, but I think it would be bad for people with really bad memories or a poor head for figures. Plus many malwares have taken to screencapping, meaning they can also interpret clicks. Also, while observing one login would not provide enough information, correlating multiple ones would probably help in crytanalysis.

This topic is closed for new posts.

Other stories you might like