Malware on point-of-sale terminals behind Target hack, at least three other well-known US retailers hit using similar methods

By on January 13, 2014, 10:30 AM
malware, hacking, security, target, data breach, pos, ram scraper

Gregg Steinhafel shed more light on Target’s data breach in a recent interview with CNBC. According to the company CEO, the source of the attack affecting as many as 70 million of its customers was malware installed on its point-of-sale systems. It’s not clear how it got there in the first place but Steinhafel says it was removed hours after discovery and promises to make significant changes to make sure it doesn’t happen again.

Although Steinhafel is sticking to sharing only things they are certain about as a forensic investigation unfolds, sources speaking to Reuters say that hackers likely used a technique called RAM scraping to steal customer data. This allows the perpetrators to capture payment data during the few milliseconds that it is stored, unencrypted, in the system’s volatile memory (RAM) in order to process the payment.

Visa issued alerts about attacks utilizing these types of malware in April and August last year, suggesting that retailers tighten firewalls so that POS communicate only with known systems, among other recommendations.

Target isn't alone in suffering a major data breach recently. Over the weekend, security expert Brian Krebs from Krebs on Security reported that upscale retailer Neiman Marcus was compromised too. The latter has since acknowledged the breach but hasn’t detailed the extent of it beyond saying it’s conducting an investigation.

There’s no evidence at this time that the Target and Neiman Marcus breaches are related. The timing has prompted speculation that might be the case, however, and now a separate report from Reuters indicates that at least three other well-known US retailers were hacked using similar methods.

Image via Shutterstock




User Comments: 13

Got something to say? Post a comment
OneSpeed said:

Back to the stone age....let's use cash.

1 person liked this | Guest said:

This is nonsense. They're straight lying to us now.

Not very long ago there was an article about the triple des encryption that they use to encrypt the credit card data.

I am a point of sale technician.

Credit card data is encrypted IMMEDIATELY by the pin pad itself, not by the computer that the pin pad is plugged into. Unencrypted credit card data should never make it to the computer to be scrubbed in the ram. This is nonsense and they're lying.

Let me make this clear, the pin pad itself encrypts the data, then sends it to some driver or middleman software on the pos computer which sends that data to the credit card processor. Scrubbing the ram would only garner encrypted data. So unless hackers have cracked triple des encryption then someone is lying.

What's the deal Target?

Why aren't firewalls already in place and rules in place to only allow credit card transactions and nothing else?

Executives at Target should be held responsible.

tipstir tipstir, TS Ambassador, said:

I hope I am not effected by this breach.. Good thing and didn't go and get that sound bar with sub woofer it was less that $70. Target system is weak as it is. They should have spent the money and upgraded their system. Walmart has in some of their stores.

Guest said:

The key pad still must process the data before it encrypts it. If you can attack at that point you have the info

Guest said:

Guest said:

This is nonsense. They're straight lying to us now.

Not very long ago there was an article about the triple des encryption that they use to encrypt the credit card data.

I am a point of sale technician.

Credit card data is encrypted IMMEDIATELY by the pin pad itself, not by the computer that the pin pad is plugged into. Unencrypted credit card data should never make it to the computer to be scrubbed in the ram. This is nonsense and they're lying.

Let me make this clear, the pin pad itself encrypts the data, then sends it to some driver or middleman software on the pos computer which sends that data to the credit card processor. Scrubbing the ram would only garner encrypted data. So unless hackers have cracked triple des encryption then someone is lying.

Why aren't firewalls already in place and rules in place to only allow credit card transactions and nothing else?

Executives at Target should be held responsible.

You're a point of sale technician, what are your qualifications for being responsible for multiple computers that deal with thousands of transactions?

I know a point of sale technician...got the job after stepping out of basic computer networking training.

Executives held responsible? Your the technician that installed the devices, no?

"sends it to some driver or middleman software" so...you're not sure where the data goes?

Even when a firewall is in place the data being sent is from the terminals...that you set up.

Guest said:

I am a POS programmer and you are not entirely correct about the interface between the card reader and the POS computer. For debit transactions, the card reader encrypts the PIN number and provides a key serial number (for 3DES encryption). This data is delivered to the POS software as a block of hex digits. However, the card's track 1 and track 2 strings are passed to the POS software as clear text. Those card tracks are then typically passed to a credit host through an encrypted interface. The software running on the POS will have the clear text image of the card tracks in RAM during that period where the POS receives the card data and when it formats a message to the credit host. It probably holds that information in memory until the credit host provides an approval or denial of the requested credit transaction, as it might need to resubmit the authorization request if it does not receive a response within a timeout period. After the transaction is either approved or rejected, the POS software should clear the block of RAM that contains the card track strings and encrypted PIN data.

Your description of a block of encrypted data that includes the card tracks being done at the card reader device would be the most effective method of preventing these types of card thefts. However, that would require the replacement of all the card readers and modifications of all POS systems that interface to the readers. The kind of cost is something no one seems willing to accept, so these data breaches appear to be tolerated.

Guest said:

A 4 character string of just numbers can be cracked overnight. If the hackers were smart they used a known card and pin to make a transaction. then they will know when the hash is cracked.

9Nails, TechSpot Paladin, said:

Are the criminals that good, security that relaxed, or somewhere in between? I mean, how can we be certain that Target makes significant security changes so that this doesn't happen again?

1 person liked this | cliffordcooley cliffordcooley, TechSpot Paladin, said:

Take their word as fact. lol

Guest said:

Let's all use Bitcoin instead = hahahahahahahahahahahahahahahahahahahahahaha as if.

Guest said:

The PIN number is 4 digits, but the PIN Pad card reader generates a 16-byte block of encrypted data. Debit PINs use a technique known as DUKPT, which generates a unique key for each transaction. This results in a different 16-byte block of encrypted data for each transaction, even if the same card and PIN is used multiple times. So, even if you knew the PIN associated with the encrypted PIN block, a brute force attack would be of no use, as the key that is used to encrypt all the other PINs would be different. The only effective way of extracting the PIN from an encrypted data block is to have access to the keys and algorithms used at the host processing location. That is probably much hard to hack into.

tonylukac said:

I wouldn't be surprised if some government didn't do this, that vastness of it.

Guest said:

Back to the stone age....let's use cash.

Unfortunately, Cash is not accepted everywhere. For instance, cash is useless if you need to purchase items online or pay monthly cell phone bill. In fact, I'm a MetroPCS subscriber and they don't even accept cash at all.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.