Wired Threat Level: Target Got Hacked Hard in 2005. Here’s Why They Let It Happen Again
it’s an industry-wide problem
What the Target Thieves Got
Not a lot is known about how the latest Target hack occurred. The intruders began the heist November 27, the day before Thanksgiving, and spent two weeks gobbling up unencrypted credit and debit card data for 40 million customers before the company discovered their presence December 15.
In addition to card data, the thieves also swiped PINs for the accounts, though the company says the PINs are worthless because they were encrypted with Triple DES at the card reader, and the key for decrypting them was not stored on Target’s system. Recently Target revealed that the thieves also absconded with the names, addresses, phone numbers, and email addresses of some 70 million customers – some of whom are the same customers whose card data was stolen. A recent report indicates the hackers got 11 gigabytes of data that was siphoned to an FTP server and from there sent to a system in Russia.
There is strong evidence that the DES protocol contains backdoors installed as a “courtesy” to the NSA. Be that as it may, DES is no longer considered secure.
The card data was siphoned from Target’s point-of-sale systems, the company says. A report released Thursday by security firm iSight Partners, revealed that the attack involved a RAM scraper, a malicious program that steals data from a computer’s memory. It also noted that the operation was “persistent, wide-ranging, and sophisticated.”
“This is not just your run-of-the-mill hack,” according to iSight, which has been working with law enforcement to investigate the attacks.
But the stolen phone numbers and emails from Target also suggest the attackers accessed a backend database, possibly the Customer Relationship Management system, used to track customer transactions and manage customer service and marketing.
The breach of Neiman Marcus was likely carried out by the same hackers, though the company has not yet revealed how many customers were affected. The New York Times reported that the intrusion began in July and went undetected for five months until the company discovered the breach this month. At least three other small retailers reportedly were breached as well. They’ve yet to be identified, and no figure for the number of cards stolen from them has been released.
All of this happened despite the requirement that companies accepting credit and debit cards adhere to a Payment Card Industry standard for security known as PCI-DSS. The standard was developed by Visa and other card companies in part to stave off would-be government regulation, and has been in place since 2001.
It requires, among other things, that companies have firewalls in place, that they have up-to-date antivirus programs installed, and most importantly that card data is encrypted when it’s stored or while in transit over a public network. A new version of the standard was released last November, the month Target was breached, that also directs companies to protect credit-card terminals — known as point-of-sale terminals — from physical tampering. This was likely spawned by a wave of hacks in 2012 that involved the physical installation of RAM-scrapers and other malware onto PoS systems by thieves who had access to the devices.
Companies are also required to obtain regular security audits from third-party firms to certify their compliance. The card companies have touted the standards and audits as evidence that customer transactions are secure and trustworthy. Yet nearly every time a breach has occurred since PCI was instituted, the hacked company has in post-breach audits been found to have been out of compliance, even though they had been certified compliant before the breach was discovered.
That was the case with at least two of the Gonzalez hacks. Both Heartland Payment Systems and Hannaford Bros. were certified compliant while the hackers were in their system. In August 2006, Wal-Mart was also certified PCI-compliant while unknown attackers were lurking on its network.
CardSystems Solutions, a card-processing company that was hacked in 2004 in one of the largest credit card data breaches at the time, was breached three months after CardSystems’ auditor, Savvis Inc, gave the company a clean bill of health.
Inherent Flaws In the System
All of these companies had different vulnerabilities and were hacked in different ways, but their cases highlight inherent flaws in both the standards and the auditing process that are supposed to keep customer card data secure.
Audits take only a snapshot of a company’s security at the time of the audit, which can change quickly if anything on the system changes, introducing new and undetected vulnerabilities. What’s more, the auditors rely in part on the companies providing complete and accurate information about their systems — information that isn’t always complete or accurate. But the biggest problem is the standard itself.
“This PCI standard just ain’t working,” says Litan, the Gartner analyst. “I wouldn’t say it’s completely pointless. Because you can’t say security is a bad thing. But they’re trying to patch a really weak [and] insecure payment system [with it].”
The problem goes right to the heart of the system for processing card payments. With small restaurants, retailers, and others that accept card payments, the transactions go through a processor, a third-party company that reads the card data to determine where to send it for authorization. Large retailers and grocery chains, in contrast, act as their own processor: Card transactions are sent from the company’s individual stores to a central point on the corporate network, where the data is aggregated and routed to the proper destination to be authorized.
But both scenarios have a major flaw in that the PCI standards don’t require companies to encrypt card data while in transit either on the company’s internal network or on its way to a processor, as long as the transmission is over a private network. (If it crosses the public internet it must be encrypted.) Some companies, however, secure the processing channel through which the data travels — similar to the SSL encryption used to protect website traffic — to prevent someone from sniffing the unencrypted data inside the channel as it moves.
Target was likely using such a secure channel within its network to transmit unencrypted card data. But that wasn’t good enough. The attackers simply adapted by employing a RAM scraper to grab the data in the point-of-sale device’s memory, where it was not secured.
A security researcher who has extensive knowledge of card processing systems but asked not to be identified says he first began seeing RAM scrapers used against merchants in late 2007 after another set of PCI standards, known as the Payment Application Data Security Standard was implemented for card readers. Those standards prohibited a widespread practice of storing credit card numbers on point-of-sale terminals long after a transaction was completed, which allowed hackers to copy them at their leisure. The newer standard, along with the practice of sending data through a secure channel, forced hackers to switch their tactics and grab card data during the split-second that it’s unsecured in the memory of POS systems while the transaction is in progress.
“Criminals learned that if they used a RAM scraper, there will be a point of time in every POS system where that data is in the clear,” the researcher says. “It may only be for a split second, so they will find that.”
Litan says RAM scrapers could be rendered useless if the PCI standards required companies to encrypt card data at the keypad, in the same way that PINs are required to be encrypted — that is, from the moment they’re entered on a keypad at a restaurant or grocery store, until the moment they arrive to a bank issuer for authorization. Part of the data identifying the issuer could be decrypted by the processor to route it to the proper destination, but the card account number and expiration could remain encrypted.
This would require new protocols be written, however, since most card processors are not set up to decrypt card data.
Retailers Oppose Tougher Standards
The security researcher says that companies that accept card payments have opposed solutions like this for years. Large retailers and grocery stores that are members of the PCI Council have resisted toughening standards on the ground that some solutions would be costly to implement or result in slower transaction times that could frustrate customers and sales.
“They’re utilizing a ten-year-old system,” he says, and to make changes would slow down the processing and create extra costs. “When it’s busy during Christmas, even three or four seconds per transaction means less money.”
The Target breach underscores that the industry needs radical change. “The only way to really beat this thing is to make the data unusable if it’s stolen and to protect it the entire time,” Litan says.
And that’s exactly what the card industry is proposing to do with a technology called EMV, colloquially known as “chip-and-PIN” cards.
Already implemented widely in Europe and Canada, EMV cards have a microchip embedded in them that authenticates the card as a legitimate bank card, to prevent hackers from using any blank bank card embossed with stolen data. The chip contains the data that traditionally is stored in the magnetic strip of a card, and also has a certificate so that each transaction is digitally signed. Even if a thief obtained the card data, he wouldn’t be able to generate the code needed for a transaction without the certificate.
For now, however, EMV cards also come with a magnetic strip on the back of them, so they can be used in terminals that are not designed for chip-and-PIN cards. This makes them vulnerable to the same types of card fraud in places like the U.S. that don’t require EMV cards. Hackers have designed rogue readers to extract data from the mag strip on these cards in Europe and then used the data in the U.S. for fraudulent transactions.
These smarter credit and debit cards are slowly being rolled out in the U.S. — for now, mostly to well-to-do customers whom the card companies expect may travel to Europe. But eventually, the card companies want all cardholders in the U.S. to have them or a slightly less secure variant known as the “chip-and-signature” card.
Beginning October 1, 2015, Visa expects companies that process bank card transactions in the U.S. to have EMV readers installed, or they could face liability for fraudulent transactions that occur with the cards. But until every cardholder has an EMV card, and every outlet that processes bank cards uses only EMV terminals, the cards are still subject to fraud.
Read it all.
Security firm IntelCrawler posted that the teen sold the software responsible for breaching security at the retailers and affecting as many as 110 million Target customers alone.
From Russia, with malware.
A 17-year-old Russian national from St. Petersburg was responsible for the malicious programing that allowed for data from Target and Neiman Marcus to be compromised, according to a California-based security firm.
IntelCrawler said in a blog post Friday that it identified the creator, who they said wasn’t responsible for the security breaches of the two retailers, but rather sold the software to cybercriminals throughout Eastern Europe.
The company’s CEO, Andrew Komarov, said it was possible for Target and Neiman Marcus to be hacked after the software tried several easy passwords to remotely hack the stores’ registers, and added that the malware, called BlackPOS, has been downloaded some 60 times.
Target’s security breach following a Black Friday shopping blitz affected up to 110 million customers. However, Neiman Marcus has yet to reveal how many shoppers were affected, or what kind of data was taken.
Much more here.
Please Help Support BeforeitsNews by trying our Natural Health Products below!
Order by Phone at 888-809-8385 or online at https://mitocopper.com M - F 9am to 5pm EST
Order by Phone at 888-388-7003 or online at https://www.herbanomic.com M - F 9am to 5pm EST
Order by Phone at 888-388-7003 or online at https://www.herbanomics.com M - F 9am to 5pm EST
Humic & Fulvic Trace Minerals Complex - Nature's most important supplement! Vivid Dreams again!
HNEX HydroNano EXtracellular Water - Improve immune system health and reduce inflammation
Ultimate Clinical Potency Curcumin - Natural pain relief, reduce inflammation and so much more.
pathogens and gives you more
energy. (See Blood Video)
Oxy Powder - Natural Colon Cleanser! Cleans out toxic buildup with oxygen!
Nascent Iodine - Promotes detoxification, mental focus and thyroid health.
Smart Meter Cover - Reduces Smart Meter radiation by 96%! (See Video)