The massive data breach at Target TGT -1.01% during the 2013 holiday shopping season which the retailer now admits affected 70 customers used an inexpensive “off the shelf” malware available online for as little as $1,800, reports Krebs on Security. This malware, known as BlackPOS is likely of Russian origin and may have also been involved in the Neiman Marcus attack—and others allegedly known but not confirmed.
The malware was surreptitiously installed on the embedded Windows OS computers on the point of sale (POS) terminals in all of Target’s U.S. stores. The company’s Canadian outlets apparently use a different software system and were not targeted in the attacks. Although the magnetic stripe information is encrypted on its way out of these POS terminals on its way to the financial institutions for verification, the data is briefly stored in plain text in the unit’s RAM (memory.) Thus, the malware “scrapes” this info from the RAM and stores it until it can be retrieved in batches through a persistent remote connection.
The real weakness, though, is not in the POS terminals but in Target’s central data network. The crooks apparently had an open channel to every POS terminal in every Target store for over two weeks! The price of the malware itself indicates that it’s not rocket science, but neither, I guess, is cracking the whole network.
The POS terminals themselves can be replaced with newer models that encrypt end to end. This will be expensive, but nothing, obviously, compared to the hit that Target has taken thus far. It is surprising that its overall network is so open. The same things that make for convenient remote administration also create huge security holes. WiFi networks have been implcated in previous larger retail breaches, but Target has not specified the vector of the attack. All that Target CEO Gregg Steinhafel was willing to tellCNBC in an interview on Saturday was that, ”We don’t know the full extent of what transpired, but what we do know is that there was malware installed on our point-of-sale registers. That much we’ve established.’”
According to Reuters, “smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target.” Brian Krebs of Krebs on Security says he is not ready to confirm this but assures that “when and if I have information about related breaches I feel confident enough about to publish, you will read about it here first.” I’ll be looking for that any day now.
The only up note in Target’s disclosure is that it is highly unlikely that the perpetrators would have been able to crack the triple-encrypted PIN codes for the purloined card numbers. There is no known method for doing so but there have been reports of inquiries on message boards about such capabilities coinciding with this data breach. The PIN codes would allow the criminals to produce fake cards and use them to withdraw cash. Absent that, a source familiar with these matters tells me that the typical scenario for such stockpiles of credit card numbers is to use them to buy small electronics which can then be resold (new, in the box) on eBay, Amazon and other online marketplaces. This kind of “gray market” activity is responsible for the ability of certain sellers of such items to consistently price their goods just below market value (since they are not paying anything for them anyway!) Combating these kinds of mass outlets for goods purchased with stolen credit cards could make wholesale hoovering of financial data less liquid, and ostensibly less prevalent.