Security

Target data breach exposes serious threat of POS malware and botnets

In the wake of Target's massive data breach, Michael Kassner explores the rise of POS malware and botnets.

After the Target data breach, I became curious as to how digital criminals were able to manipulate Point of Sale (PoS) systems without raising red flags. From what I’ve read, it’s surprisingly easy.

Before we dive into what the bad guys can do: let’s take a quick look at a generic PoS system. PoS hardware consists of the device used by customers to swipe their credit or debit card, and the computing equipment electronically attached to the device.

PoS software are the applications that process the data found on the credit or debit card’s magnetic stripe. Key information the software looks for is stored on two tracks:

  • Track one: Cardholder’s name and account number
  • Track two: Credit-card number and expiration date

Many PoS systems are Windows-based

I am not sure why, but I assumed PoS applications would use proprietary software. But they’re not; most are Windows-based. This blog post from Arbor Networks iterates what that realization means, “PoS systems suffer from the same security challenges that any other Windows-based deployment does.”

They may have the same security challenges, but the Arbor Networks blog touches on why threats targeting PoS systems are more of a concern:

“Potential brittleness and obvious criticality of PoS systems may be a factor in the reportedly slow patch deployment process on PoS machines, which increases risk.”

I was curious as to why patch deployment would be slow, particularly on mission-critical systems like PoS. A source of mine conversant on PoS systems explained patch deployment is slow or non-existent because of the many government and industry regulations. If a company supplying PoS systems updates or changes their product and the change reaches a certain threshold, it has to go through an approval process.

Another reason for slow patch rollout is management has learned to error on the side of caution when it comes to updates, remembering when it was anyone’s guess whether an update installed correctly, bricked workstations, or brought down mission-critical servers.

PoS malware

Some fallout from the Target data breach has been the acknowledgment that PoS systems are under attack. This US-Cert bulletin from January 2nd mentions:

“For quite some time, cyber criminals have been targeting consumer data entered in PoS systems. In some circumstances, criminals attach a physical device to the PoS system to collect card data. In other cases, cyber criminals deliver malware which acquires card data as it passes through a PoS system.”

The US-Cert quote is an opportunity for me to introduce Dexter. The PoS malware referenced in the bulletin. Researchers, with Arbor’s Security Engineering and Response Team, in early 2013 discovered servers hosting Dexter.

Dexter steals the process list from the infected computer, and dissects memory dumps looking for the track one and two data I mentioned earlier. At a certain point, the infected machine sends the captured data to the attackers’ command and control server. After which the criminals are free to use the information to clone new cards. The unfortunate thing is that as of yet, no one understands how the malware makes its way into the PoS system.

PoS botnets

It seems bad guys are not content with their success, deciding to bring their game to the next level—PoS botnets.

This from ArsTechnica:

“Underscoring the growing sophistication of Internet crime, researchers have documented one of the first known botnets to target PoS terminals.”

Dan Goodin in the ArsTechnica post mentioned that Dexter went through a major revision, and now incorporates botnet malcode. Grouping all the infected machines into a botnet is beneficial in that it allows the bad guys to monitor, in real time, the goings on of all the infected machines. It also allows the bot masters to issue commands that immediately propagate to all member bots. To put it simply, using botnet technology helps the bad guys steal more money, while improving their odds of avoiding detection.

Guidelines to protect PoS systems

Visa took a hard look at Dexter, and came up with some preventative guidelines in this security alert. First, Visa has identified the following domains as ones that are associated with Dexter:

  • 11e2540739d7fbea1ab8f9aa7a107648.com
  • 7186343a80c6fa32811804d23765cda4.com
  • e7dce8e4671f8f03a040d08bb08ec07a.com
  • e7bc2d0fceee1bdfd691a80c783173b4.com
  • 815ad1c058df1b7ba9c0998e2aa8a7b4.com
  • 67b3dba8bc6778101892eb77249db32e.com
  • fabcaa97871555b68aa095335975e613.com

Visa recommends businesses add the above domains in firewall outgoing rule sets. Visa also recommends adding file-integrity monitoring and network-based intrusion detection to PoS systems. They also suggest isolating the PoS system from the rest of the business’s internal network.

Visa and every other source I read mentioned one thing that is paramount to keeping PoS systems secure; and it’s something we looked at early. Keep computers, especially those using Windows operating systems, up-to-date.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

37 comments
Eric Eberhard
Eric Eberhard

This article is not 100% correct.  But it touches on the problem.  I have been writing credit card software since the 80s, including over the Web and have NEVER had a breach.  I'll tell you why later.


One of the more important points that is correct is that a software vendor with PCI certified software (required to take credit cards) cannot make changes without going through wholesale extremely expensive certification.  It takes months to do. For a user like Target it involves a LOT more than software -- it includes business rules, employee manuals, etc.  That takes months to complete.  New software for the customer means new certification required for the customer.  I cannot get a customer new software faster than a year AFTER I have made a patch!  It is in many ways more legal than technical -- it is about legally assigning blame.  Essentially if Target was certified PCI compliant (hence their software must have been as that is part of it) then they get "safe harbor" from Visa -- meaning Visa is liable.  If not, Target is liable.  You can bet Visa is trying to prove that Target was not PCI compliant and Target is trying to prove they are!  And since they in all likelihood received certification ... that makes it messy.


I disagree with how you assign fault.  Often when rules are published and certifications are given, people assume that is enough.  So the credit card companies -- simply by having such a thing as PCI compliance and making it so difficult to update and fooling end users that they are safe -- they get a large part of the blame.

I have had a suggestion for credit card companies for decades -- put whatever they want on the mag stripe, already encrypted!  When software gets approval -- just send the raw data from the card.  That is not how it works.  I have to read the card, get the data (in the clear), format into Visa's format (in the clear), and then send it to them encrypted ... the answer also must be dealt with in the clear.  That is crazy.  Of course software can intercept at any point where the data is in the clear.  We don't need chips and pins ... just encrypted mag stripes and if you like pins (since that infrastructure is there already for debit cards).  Mostly this does not change because the clearing houses for the credit card companies have old legacy software that they can't/won't change.  I certified for Version II VISA standards (was the first actually) in the 80s.  That is still the current standard!

So once more I blame the credit card companies more than anyone.  Not Target who probably is PCI compliant and was following the "rules."


Things credit card companies can do include:

Find some people that actually know computers to handle certification.  For example, there is a requirement that mag strip data not be written to disk. OK.  But, almost every O/S on the planet does "paging" and will in fact write memory to disk as it pleases and out of the programmer's control.  I was told when I first certified (they have only been doing PCI about a decade or so) that I had to remove "the disk" and give it to the auditor to do a forensic analysis.  He was stunned to find out that IBM Power disks (RS 6000 at the time) do not work in PCs.  He could not grasp that I had at the time 8 drives in a 5 times RAID in a cabinet connect to two redundant HA (High Availability) computers ... so technically the computers had no "disk" and the disks it used the data was scattered all over willy-nilly.  Essentially this was impossible to comply with.  We worked it out.  I had a hard time explaining IPC (inter process communication) does not have anything to do with the network -- that the data is all in memory on the main box and never leaves there.  I could go on ...

If they are going to update hardware -- why not go biometric?  My laptop reads my fingerprint and logs me in.  So an encrypted card could contain biometric data and when scanned, the POS system could encrypt that and compare to the card.  Easy enough to do, hard to fake.  Fairly soon home systems will have that and it can be cheap (put it in the keyboard or stand alone USB).

There are two things that can be done that most people don't do.  My software runs on IBM Power II (AIX Unix) and the credit card transactions are all handled by the server.  To date I  know of no AIX viruses.  There is a benefit to not being Windows.  One could have non-Windows credit card readers that could easily read encrypted data, send to the clearing house, and get back only an "approval code" which would be a single use code that would allow for capture of the data (even better would be to authorize and capture all at once if possible).  Companies that need to do an end of day capture would not have to have credit card numbers -- they would use the "one time use" number.  This can even be used when a company scans a card and authorizes later.

When running off the server there is only one computer involved for thousands of client POS terminals.  Information is not passed over the network -- it is in memory (not that someone could not invent an AIX vurus to read memory -- they just don't now and AIX is a lot tougher than Windows).  The server is behind very secure network (firewall, etc) that severely limits where the data can be sent, etc.

And as good fortune would have it, I sell my software to wholesale outfits, so the credit cards are entered into the computer by a telephone call.  So the card never goes on the network except encrypted to Visa.  That is a design decision.  We allow users to name their cards (like "company Visa" or "Mary's Card") and on the Web that is all they can see, select, etc.  So a card number never goes over a network.  

But the trick of the design can be repeated in retail simply if the mag stripe is encrypted to start with and a simple one-time use code is returned.  Design is a better way to protect the data than trying to make a hack-proof virus-proof system.  Simply don't allow clear text versions of credit card data to exist.  If a store wants to keep your card on file, keep the encrypted data.  If they take it over the phone, use a dedicated keypad that sends only encrypted data and allows the computer to store that.  

In summary:

My point is that PCI compliance provides the illusions of security -- very dangerous.  If I cannot lock my car I won't leave my wallet in it.  If I believe it is impossible to break into my car I will.  The legal and certification overhead is so fierce that updates can't be done timely.  Design is bad because the credit card companies store data such that you must own it in a clear text format at least for some period of time and put it on a network and potentially store on disk.  Design is bad because it depends on network security (an oxymoron) rather than good design.

Kevin Herrick
Kevin Herrick

Fox Business actually gives great info on this subject.

fltwoway0
fltwoway0

I would be remiss not to mention the fact that Target, like most box stores, outsources their ICT needs. Since box stores are in the business of delivering goods, it makes good business sense to enlist other contractors, CompuCom in this case, to address aspects they do not specialize. Again, mere speculations on my part, an employee of the contractor who has access to the entire infrastructure can compromise the data as in the case of Edward Snowden employed by Booz Allen Hamilton. The truth is an organization can have the best protocols in the business but personnel that lack integrity or apathetic in their responsibilities render protocols ineffectual.

gejones2
gejones2

I think we cannot assume the attack vector was a POS external device or even a hack. With the little information we have of the incident, and how the number has changed from 40M to 70M and now 110M and the data loss also included non-PCI mandated protected data, this has grown from a data breach to a data dump. As most research has revealed, inside threats may have been in place for awhile, we just don't know yet.


@mnemennth Just keep in mind PCI was created by VISA/MC to shift risk and liability down and away from themselves. 


Basic information security best practices like what @fltwoway0 mentions in his post, is not practiced with the rigor necessary to face the threats of information security. You may have noticed I did not use the term cybersecurity because there is no evidence this was a hack.


The real problem, and I feel for these teams, is that bean-counters decided that infrastructure spending, which includes information security resources, education, and monitoring, be reduced because "IT is a cost and security is a part of that" and not as sexy as internet commerce potential. You, as customers of this sad situation will pay for these decisions because these businesses won't pay for the needed talent UNLESS THEY HAVE TO! By then the decision-maker is gone. That's the cheap bastard @mnemennth is talking about. 

fltwoway0
fltwoway0


From my perspective after servicing the Target account in the late 90’s, the failure of physical site security is more likely responsible for the breach. Many non-Super Targets stores utilized their control rooms for additional back office space and general storage leaving the doors propped open or unlocked. I imagine it is much easier to launch the attack directly on the various servers rather than from the POS client. Since store servers communicate on a mesh network, a determined group could compromise the entire network with direct access from any store’s control room. I am just speculating though.



ivoyhip
ivoyhip

Here are few points about POS systems:

1) In Canada, there are regulation required that POS computers can only record the last 4 digits of credit card numbers.  There is also requirement of encrypting part of transaction data. 

2) Many POS computers required to be on 24-7 for whole year.  It is because there may be data transfer and system backup at night.  Therefore, it is challenging to do patching because there is only a small window of time that systems are available.

3) In retail industry, speed is really important.  Customers do not like to wait at the counter.

4) In my company, we instruct cashiers not to allow outsiders to touch our POS computers.  This should avoid any keyloggers attached to the system.  However, can any our cashiers are hackers?  Tough to say.

jemorris
jemorris

Not sure where I read the article and watched the associated video but it was right after the 2012 holiday shopping season. Several dept. stores in 3 or 4 suburban malls had found USB flash drives attached to their POS terminals that contained keystroke loggers, wifi and some other tools for capturing data. No one was sure how long they had been on the terminals. Once these had been found the store detectives then started monitoring the terminals in the one dept. store that allowed itself to be identified. on two separate occasions they caught one person downloading the captured data while parked just outside one of the stores and the other they caught an individual who had tried to retrieve one of the flash drives. This person claimed they were just to secretly retrieve the drive (fail!) and deliver it somewhere. These were all in the same metropolitan area and at the time the article was published it was believed that it was the work of a loosely knit group hackers and not organized criminals. There was a lot of vagueness to the article on some things and had me questioning how much of the article was real and how much was fiction. The only part that had me convinced  was the dept store that allowed itself to be identified. 


Can't remember what metro area it was and never saw a follow up to the article but now when I'm in a major dept store I can't help but notice how easy it would be to attach something to many of the terminals.

PhilippeV
PhilippeV

Magnetic tapes are really bad on creadit cards. In France we use smartcards since the 1980's and many people below the age of 35 have never known any credit card without the chip. The chip is mandatory for all credit cards French banks that display the "CB" ("Carte Bancaire") standard logo (including cheap cards not affiliated to the Visa, Mastercard and Amex networks and not usable for international transactions).


So it's much more difficult to copy the information on the card.


Card readers in chops use ONLY the chip when it's present, so ften that devices are so rarely (or never) used on their magnetic tape reader that it is dirty and does not work at all. Points of sale will not refuse to use the magnetic tape if the card has the "CB" logo or the smart chip, simply because they take a risk (and they also pay additional transaction fees when processing payments from the magnetic tape).


---


The real danger is for sales on the Internet that are completely unprotected and where the data transmitted is minimal.


This is changing though with the adoption of second verification systems by SMS with an extra confirmation code (another older technic used by "Verified by Visa" or similar with Eurocard/Mastercard (and even with American Express cards issued in France) is to force the online merchant to redirect to a secure page of the credit card owner bank where the user must authentify the transaction). We no longer buy online with French credit cards with just the visible 16-digit card number and the 3-digit PIN printed behind the card near the signature.


---


Sometimes, US can be so late to adopt technologies, this is the case of US banks.


When will credit cards completely remove the old magnetic tape (or will first require that users authorize their use for a limited time, for example when traveling abroad) ?


rocket ride
rocket ride

The breach apparently involved inserting extra code into the terminals.  So, what it really amounts to is that the mental defectives who designed, sold and bought these POS (in both senses of the acronym) terminals "thought" that making them reprogrammable by any means less arduous than plugging in a new a ROM chip was somehow a good idea.


How did that work out for you, idiots?



NickNielsen
NickNielsen moderator

POS systems are not quite that simple, Michael.  The systems also include inventory management and ordering functions.


Most large retailers use central PCI gateways as relays between the stores and card issuers.  They also have central CRM servers.  Given the amount and type of data taken, I think the breach took place on these systems and not at the store level. 

mark100
mark100

Internal network firewalls would be nice to prevent system-wide theft of credit card data, but that would slow down the speed of customer transactions, and stores like Target favor speed over security.  It's simple cost-benefit analysis by Target's bean-counters. 

johnlindemann
johnlindemann

POS malware, poor network best-practices, un-patched OS's, etc.  -could all be made irrelevant if card issuers were to adopt one-time-use card number technology.


See Mr. Kassner's other post http://fyre.it/hpPLWm.4 on this subject.


Too costly?  ...I wonder had it been embraced years ago, it may have paid for itself several fold.

johnmalaney
johnmalaney

One reason that POS systems are often not patched is also performance. systems are often of low spec as stated by previous respondents and any system change is likely to have an adverse impact on perfromance. there is a fixed requirement to achive under .5 second response times from barcode scanning otherwise the terminals become unusable in anything other than a tiny store.

jmcalpine
jmcalpine

Are we sure we don't want to get the store clerk that gives out free flowers for virus removal on her INTERNET-CONNECTED POS system?  Most SMBs can't afford, or will not spend, the money for the protection that is needed. Most of the time, it's non-technical executives making the decisions and disregarding the advice of experts bo th internal and external.

mnemennth
mnemennth


The headlines should read:


RETAIL GIANT TARGET A HUGE BULLSEYE FOR HACKERS DUE TO LAX PCI COMPLIANCE; 70 MILLION CUSTOMERS' DATA EXPOSED TO CREDIT CARD AND IDENTITY THEFT. MANAGEMENT TRIES TO SHIFT BLAME FOR THEIR OWN INCOMPETENCE.

 

 It doesn't MATTER what OS is used on the POS terminals; the bottom line is Target, one of the biggest retailers in the country, has a system that is NOT PCI COMPLIANT. 

The heart of PCI Compliance, and the reason it has been required BY LAW in the state of Nevada since 2009, is that ANY ENTITY which processes customers' credit card info has to have ALL MACHINES which process that info behind an encrypting HARDWARE VPN Firewall which ONLY allows data to and from a few known safe domains. If properly implemented, that VPN can face the internet directly with confidence. Many companies still rely on the security of their own internal networks, even though pretty much EVERY major retailer's network has been compromised at some point in the last decade.

Because they CONTINUE to drag their feet and lobby Congress to delay legislation REQUIRING PCI compliance (Due to what else... COST of implementation), the consumer is still at risk using card-based forms of payment at almost ANY MAJOR RETAILER.



mnem

*Allergic to the BS*

ExploreMN
ExploreMN

" I assumed PoS applications would use proprietary software." 

It probably is proprietary software. I think what you mean is a proprietary operating system. 


"no one understands how the malware makes its way into the PoS system."

How hard is it to understand that you have someone get a job at some company and they infect the system. That's just one of many easily plausible ways to do it. Every cashier has access to a PoS system which makes it the most reasonable method.


"Visa recommends businesses add the above domains in firewall outgoing rule sets."

LOL Yeah...because those domains look like they are real, stable, and won't change at all. That's like blocking spam by blocking the e-mail address aosd87fpafd32@dsalf.com - Let's be real here, why should a PoS system even communicate with any domain that is NOT part of the company? How about restricting those machines to only communicate with the servers they need to communicate with?

Akais1
Akais1

One of the biggest problems with POS systems is that they are not deployed by company employees. I have been on a couple of contract jobs where we changed out POS systems for Marshall's and Blockbuster. They would hire basically anybody with computer skills to come in and do this. As far as I know, they never checked anything in my background to come in, setup and install the new POS system. It would be very easy for any hacker to gain access to the system by getting hired on with one of these deployments, compromise the computer at installation which would give them access to the POS network. As far as I know, it is pretty much standard to hire temps to install these terminals.

cybershooters
cybershooters

I would have thought it's fairly obvious how they deploy it, lost count of the number of times I've been in a big box store and there's an unattended terminal that's been left logged on.  Or you could just get a job there briefly.  Not all PoS systems do use Windows, and I have to say those are the ones you never hear about being hacked.  But they're costly to maintain, which is why companies go to Windows as everyone else does.

junk
junk

Why go through the trouble of excluding a few identified domains which are probably constantly changing anyway.  In a dedicated system the default should be to block everything EXPECPT the known servers of the processing bank and corporate HQ.  If these are fixed IPs and hard coded into the system, it would be much more difficult to hack and/or transmit any information back to the thieves.  For dedicated (kiosk) systems, even if it's Windows based, you can't think of it in terms of being a desktop computer, you have to think in terms of its being a device with a single task.

mnemennth
mnemennth

@PhilippeV 

When they stop being cheap base-tards who only think from one quarterly report to the next, and when someone forces them to ACTUALLY be more concerned with the safety of their customers' personal data than with their own data mining operations.


As long as continue to take fundamental civil rights away from actual living, breathing people and give them to Corporate Entities that feel no pain, remorse, or pity, it's not going to change.



mnem

No, thank you.

mnemennth
mnemennth

@NickNielsen 

Just having a PCI Gateway doesn't make your system PCI-Compliant; the entire point is that NOTHING is on the same network as the POS Terminals and their required server, and nothing that comes to or from those machines is unencrypted. Aside from the deployment cost issues I've already mentioned, another reason big companies drag their heels on being PCI-Compliant is that they are all actively engaged in data mining on that very same information. 

Having to keep that information separate from the company network would really make it hard for every Management Type/Wannabe CEO to dig up their next marketing strategy; they would probably bust sixteen brain bones just figuring out who to ask for the data. When told it's unavailable because of Credit Data Security protocols, their heads would explode. The last thing they really care about is the security of the customers' data; only the APPEARANCE of that security to the public is important to them.




mnem

I'm no cynic; I stopped being that optimistic long ago.

rocket ride
rocket ride

@mark100


Just like the airlines' bean-counters define an acceptable level/ frequency of passenger loss through crashes.  Yes, retailers have a certain risk of your identity getting stolen and your money being taken that they consider acceptable and airlines have a certain level of risk that you will die in the crash of one of their planes that they consider acceptable.

rocket ride
rocket ride

@mark100 


Just like the airlines' bean-counters define an acceptable level/ frequency of passenger loss through crashes.

PhilippeV
PhilippeV

@johnlindemann You should know that there's a new kind of threat affecting automatic cash dispensers : they are most often a standard PC with USB connection to the external keyboard and the card reader.


Thives are now creating holes in the outer case to find the USB cable and connect a USB key on it. They close the hole and then will wait for the time the dispenser will be refilled with cash.


The USB key contains a Windows autorun program that will infect the PC of he dispenser. These PCs are installed with OLD versions of Windows XP, with Plug-nPlay enabled (so the USB key is recognized and installed imemdiately without needing administrator permission. The "autorun" feature of Windows XP is also enabled. The USB key contains a malware that will infect the cash dispenser.


IT will monitor the time when a credit card will be inserted by cash conveyors to refill the dispenser (to refill it, they need to first recognize themselves to allow them to open the case, disconnect the closed transport case containing the cash, an replace it with the other filled case (they don't handle the cash directly): they plug it on an USB port and the replacement case is recongized automatically with Plug-n-Play.


The problem is that the OS used is really old and full of security bugs. They are also extremely badly installed with bad administration rights. inner USB cables are not protected and the inner software does not monitor actions on the USB ports to report events to the bank server.


Only the telephone line (or now more frequently the wireless network modem) are protected from intrusion.


Everything can be done on a cash dispenser running Windows XP as their OS.

Mr@Spock
Mr@Spock

@mnemennth From what I understand of this breach, PCI compliance would not have stopped the malware since it was gleaning the information from system RAM not from system storage (hard drive space).  Data must exist unencrypted at some point in the transaction for the transaction to be completed.  The thieves are targeting those areas where they expect the data exists in readable format.  They are adapting their attack to work around even PCI compliant companies security tools.  A more effective tool here, would have been aggressive firewall rules right from the start and application white -listing.

Zorched
Zorched

@mnemennthBe careful though.  I suspect that the reason legislature is dragging their feet is that it's not just big companies that are affected.  Should mom-and-pop gas station down the street have to pay Tens of thousands for hardware and installations just to be able to take credit cards?  No, most of them either use the phone line or plug into the basic DSL that the place has.


Better yet, how about making sure the data on the card is encrypted like they do in Europe? The Credit Card companies could have done that years ago when Europe and the rest of the world was, but they didn't want to spend the money.  Here, it's the big companies that have billions in profits that have to bear the burden.  Encrypting the data would fix the big company and the mom and pop problem.


Who should bear the burden?  I'm thinking the rich profiteers that have shirked their duties, but that's just me.

Michael Kassner
Michael Kassner

@ExploreMN 


Good point on the proprietary system software, I was not accurate in my statement. Thank you.


I have been following closely as to if and when they will supply the attack vector. Until then, I try to avoid surmising. 


As for the domains, I mentioned earlier that in many cases PoS systems are on the same network as other internal components. I suspect that may change. 

Michael Kassner
Michael Kassner

@Akais1 


I think the lack of publically acknowledging there is an issue may have lulled companies, especially SMBs into thinking all was well. 

Michael Kassner
Michael Kassner

@cybershooters 


That could be, but I cannot find any source and verifiable second source to confirm that. Also, I am reading the breach may now be even larger. 

WmTConqror
WmTConqror

@junk True, True.  Following network best practices would go a long way. 

Another problem with PoS is they are somewhat customized, any patch or update could potentially knock the PoS system for a loop so they are generally left as they come from the box.   

Michael Kassner
Michael Kassner

@junk 


Good point. And you are correct, if the PoS system is isolated. I am not so sure that is the case.

mnemennth
mnemennth

@Zorched - 

PCI Compliance IS, in fact, a fast growing market industry right now; and actually, it is the small and medium sized business owner who are buying the hardware because they are just big enough to realize that they can't afford the lawsuits if they get hacked. The expense of a basic PCI Compliant VPN Firewall is actually very small; much less than the retainer of any law firm who could protect them against such lawsuits.

Big business companies already have armies of lawyers, so to them it's just another day in court; they have the luxury of "putting it off" until some very messy, very public event, like this one, occurs.


The funny part is... the average everyday who are the safest? The really small business folks who only process credit/debit cards through a credit card company provided machine on dialup. Those machines can really only be hacked by hacking the user or tapping the telephone line; their connection is sporadic, the data is encrypted, and it is an outbound-only connection. The business owner never stores Payment Card data of any sort. This poor yield of data makes these installations a much less tasty target for this sort of hacking. This is also the sort of hacking that Identity Theft and Credit Card Fraud laws are actually current on; pretty much everything that is more sophisticated than this is a legal free-for-all right now. Our legal system is THAT FAR behind the criminal technology being used today.

@Mr@Spock

PCI compliance WOULD have stopped or at least severely curtailed this breach; number one, those POS machines AND SERVER would have been on a secure, hardware-encrypted VPN, which ONLY ALLOWS TRAFFIC TO AND FROM KNOWN SAFE IP ADDRESSES/DOMAINS. This would have prevented most vectors of infection from the Internet.

 Even if those POS terminals were intercepted in shipment before delivery to the store, the compromised machines wouldn't have any way to talk to the Internet, therefore their bots would be just be adrift in an empty sea of bits in an language they can't understand, talking to themselves.

mnem

*Non-compliance Compliant*

minstrelmike
minstrelmike

@WmTConqror @junk Even if the systems weren't customized, you can't hardly keep up with the Windows updates (or any other O/S). Add on the time spent testing the update (or waiting for others). And then add in any SarOx or industry-specific requirements that must be tested and any Zero-day patch gives attackers a 7-day window at minimum.


A multi-armed security with restricted network links, a POS separate from inventory and meeting management systems, maybe even a proprietary os--after all, if it doesn't need to read disks or list files, maybe strip it down to POS basics.

ALU13
ALU13

@WmTConqror@junk The customization is a very good point. 

POS devices running Windows XP Embedded generally run on thin clients with very little drive space available.  In many cases after they are deployed there is virtually no free space available to apply anything. Changes, especially windows patches, cannot be deployed.

Michael Kassner
Michael Kassner

@ALU13 


We are kind of guessing here, as the bad guys may have worked their way into the servers. 

Editor's Picks