Malware on point-of-sale terminals behind Target hack, at least three other well-known...

By Jos · 13 replies
Jan 13, 2014
Post New Reply
  1. Gregg Steinhafel shed more light on Target’s data breach in a recent interview with CNBC. According to the company CEO, the source of the attack affecting as many as 70 million of its customers was malware installed on its point-of-sale...

    Read more
  2. OneSpeed

    OneSpeed TS Addict Posts: 286   +92

    Back to the stone age....let's use cash.
  3. This is nonsense. They're straight lying to us now.

    Not very long ago there was an article about the triple des encryption that they use to encrypt the credit card data.

    I am a point of sale technician.

    Credit card data is encrypted IMMEDIATELY by the pin pad itself, not by the computer that the pin pad is plugged into. Unencrypted credit card data should never make it to the computer to be scrubbed in the ram. This is nonsense and they're lying.

    Let me make this clear, the pin pad itself encrypts the data, then sends it to some driver or middleman software on the pos computer which sends that data to the credit card processor. Scrubbing the ram would only garner encrypted data. So unless hackers have cracked triple des encryption then someone is lying.

    What's the deal Target?

    Why aren't firewalls already in place and rules in place to only allow credit card transactions and nothing else?

    Executives at Target should be held responsible.
    9Nails likes this.
  4. tipstir

    tipstir TS Ambassador Posts: 2,474   +126

    I hope I am not effected by this breach.. Good thing and didn't go and get that sound bar with sub woofer it was less that $70. Target system is weak as it is. They should have spent the money and upgraded their system. Walmart has in some of their stores.
  5. The key pad still must process the data before it encrypts it. If you can attack at that point you have the info
  6. You're a point of sale technician, what are your qualifications for being responsible for multiple computers that deal with thousands of transactions?
    I know a point of sale the job after stepping out of basic computer networking training.
    Executives held responsible? Your the technician that installed the devices, no?
    "sends it to some driver or middleman software"'re not sure where the data goes?

    Even when a firewall is in place the data being sent is from the terminals...that you set up.
  7. I am a POS programmer and you are not entirely correct about the interface between the card reader and the POS computer. For debit transactions, the card reader encrypts the PIN number and provides a key serial number (for 3DES encryption). This data is delivered to the POS software as a block of hex digits. However, the card's track 1 and track 2 strings are passed to the POS software as clear text. Those card tracks are then typically passed to a credit host through an encrypted interface. The software running on the POS will have the clear text image of the card tracks in RAM during that period where the POS receives the card data and when it formats a message to the credit host. It probably holds that information in memory until the credit host provides an approval or denial of the requested credit transaction, as it might need to resubmit the authorization request if it does not receive a response within a timeout period. After the transaction is either approved or rejected, the POS software should clear the block of RAM that contains the card track strings and encrypted PIN data.

    Your description of a block of encrypted data that includes the card tracks being done at the card reader device would be the most effective method of preventing these types of card thefts. However, that would require the replacement of all the card readers and modifications of all POS systems that interface to the readers. The kind of cost is something no one seems willing to accept, so these data breaches appear to be tolerated.
  8. A 4 character string of just numbers can be cracked overnight. If the hackers were smart they used a known card and pin to make a transaction. then they will know when the hash is cracked.
  9. 9Nails

    9Nails TechSpot Paladin Posts: 1,215   +177

    Are the criminals that good, security that relaxed, or somewhere in between? I mean, how can we be certain that Target makes significant security changes so that this doesn't happen again?
  10. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 9,726   +3,700

    Take their word as fact. lol
    9Nails likes this.
  11. Let's all use Bitcoin instead = hahahahahahahahahahahahahahahahahahahahahaha as if.
  12. The PIN number is 4 digits, but the PIN Pad card reader generates a 16-byte block of encrypted data. Debit PINs use a technique known as DUKPT, which generates a unique key for each transaction. This results in a different 16-byte block of encrypted data for each transaction, even if the same card and PIN is used multiple times. So, even if you knew the PIN associated with the encrypted PIN block, a brute force attack would be of no use, as the key that is used to encrypt all the other PINs would be different. The only effective way of extracting the PIN from an encrypted data block is to have access to the keys and algorithms used at the host processing location. That is probably much hard to hack into.
  13. tonylukac

    tonylukac TS Evangelist Posts: 1,374   +69

    I wouldn't be surprised if some government didn't do this, that vastness of it.
  14. Unfortunately, Cash is not accepted everywhere. For instance, cash is useless if you need to purchase items online or pay monthly cell phone bill. In fact, I'm a MetroPCS subscriber and they don't even accept cash at all.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...