Target CEO Gregg Steinhafel has admitted that there was malware on its point-of-sale (PoS) systems.
In an interview with CNBC, Steinhafel said that while it did not know the full extent of what transpired, it had established the malicious compromise. According to Sophos’ Naked Security blog, credit card data is not encrypted all of the time, even on PCI-DSS compliant systems, instead it is briefly unencrypted inside the PoS terminal itself.
Writing on the blog, Paul Ducklin said: “Putting malware into PoS terminal hardware devices is possible, and lets you can skim off payment card data as early in the process as possible. But that sort of scam is hard to perpetrate on a national scale, especially at in-store sales points.
“That’s where so-called RAM scraping malware comes into the picture. RAM scraping works because payment card data is often also unencrypted in memory (RAM) in the PoS register. This happens as the data is transferred from the PoS terminal to the PoS register. Of course, PoS registers usually run some version of Windows, and are connected together on an enterprise-wide network.”
A source close to the Target breach told IT Security Guru that the company had not done enough in the way of security validation for the retail environment. A third party quality assurance person raised the concern that insufficient penetration testing and vulnerability scanning was done and overlooked against the PoS system.
“A lot of retailers try this on as a way of saving money and rather than taking a sample and working back, they basically try to ignore their retail environments, or push the QSA not to review them because it can add a lot to the cost of the audit,” they said.
They also said that encrypted pins were compromised, suggesting that the data was stolen during or just before it was transmitted (either via the pin pad to POS, or POS to processor). The QA person said that the pin pad was not compromised, so there is a good chance people won’t see ATM cash-frauds from cloned cards.
However it has also transpired that CVV details may have been compromised and full track data has been stolen from the magstripe. “So cloned cards could be created but only used for face to face purchases in store – i.e. with a signature or in online environments where the CVV2 security code isn’t asked for,” they said.
“The way in which the data has been stolen strongly indicates that the attackers got a foothold within store networks rather than just popping a website. This is reminiscent of the TJ Maxx compromise. So it could have been via rogue wireless or in store networks or possibly even an external attacker that managed to leverage a vulnerability to the take over an internal computer.
“Either way for the volume of data to have been more than 40 million, I suspect that custom PoS malware was used to grab the data and then send it out to the criminal fraternity involved.”
Commenting, Neira Jones, partner at Accourt Consulting said that whilst the criminals won’t be able to use the cards at ATMs, they can still use them at shops as there are still a lot that do not require a PIN.
“From a commercial point of view, not all the issuers have re-issued compromised cards, because the
timing was perfect (i.e. Christmas) and didn’t want to have their customer stuck for payments if compromised cards were cancelled and waiting to be re-issued. All in all, a very well timed affair.”