Buyer Beware: Your Credit Card and Debit Card Data Can Be Stolen at the Cash Register
Most adults in the developed world have bank accounts and credit cards. Most of us use debit cards and credit cards at the cash registers of our favorite retailers, often on a daily basis.
A few months ago, millions of customers of Target and Neiman Marcus could have never imagined that shopping at those retailers could lead to their sensitive financial data being stolen.
What should you learn next?
In the retail industry, the computers that act as cash registers are called "point of sale" systems, or POS. Technically speaking, those POSs are very similar to the kind of PCs ordinary people use every day at home and work. Many of them even use the same operating systems, such as Microsoft Windows.
It's in the best interests of both customers and retail corporations to keep their POS systems as secure as possible. When POS systems are attacked and customers' financial data is stolen, it's absolutely devastating to both parties. Customers are hit hard in the wallet, and prone to being victims of identity theft, as well. Retailers lose money, their reputations are hurt, and they become subject to massive litigation.
In the past couple of months, POS attacks on Target and Neiman Marcus have made headline news around the world.
On December 19, 2013, the Target breach was made public. The data of up to 40 million debit cards and credit cards were grabbed by criminals. As the malware entered servers that are connected to Target's entire digital transaction system, it's likely that some data was stolen from all of their retail locations. If you're American, if you personally weren't affected, chances are someone you know was.
"Sunday, December 15th was really day one. That was the day we confirmed we had an issue and so our number one priority was ... making our environment safe and secure. By six o'clock at night, our environment was safe and secure. We eliminated the malware in the access point, we were very confident that coming into Monday, guests could come to Target and shop with confidence and no risk," said Target CEO Gregg Steinhafel.
The data stolen wasn't limited to debit cards and credit cards. The mailing addresses, email addresses, and phone numbers of up to 70 million customers were also compromised.
Luxury retailer Neiman Marcus suspected a POS attack on their systems as early as mid-December. On January 14th, Neiman Marcus spokesperson Ginger Reeder made the following statement to Krebs on Security:
"Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.
"We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence, and risk management firm, and a leading forensics firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers' cards were possibly compromised as a result. We have begun to contain the intrusion and have taken significant steps to further enhance information security.
"The security of our customers' information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store."
As of this writing in January 2014, it's unknown to how many Neiman Marcus customers were affected. Their investigation is ongoing.
Have you never shopped at Target or Neiman Marcus? Then you must know that these incidents aren't isolated to just two major retailers.
Reuters reported that at least three other well-known American retailers were hit around the same time as the attacks on Target and Neiman Marcus. We don't know which retailers those are, not yet, anyway. Banks and credit card companies like Visa and Mastercard don't publicly disclose which merchants they know have been attacked until the merchants themselves publicize such news. That may be because it's believed that keeping the identities of breached retailers secret protects criminal investigations and lawsuits while they're ongoing.
As a consumer, it may give you some peace of mind to know that, in most of the US, there are laws that mandate that corporations inform customers when their personal information is breached. The responsibility may be assigned to the retailer or to a bank or credit card company.
Information security experts have been aware of POS malware for years. The malware that recently affected Target, Neiman Marcus, and other major retailers is probably a type called RAM scrapers.
Electronic banking and retailing systems have been evolving to become increasingly sophisticated over the years. Sensitive data that's sent to and from computing devices is almost always encrypted with asymmetrical algorithms. Cracking the encryption that sensitive data is scrambled with is incredibly difficult to break, especially with standards that use bit lengths of 128 or more. If blackhat hackers want to crack the encryption that the POS systems of major retailers use, they may need to use supercomputers or massive computing clusters, and the process could take weeks, months, or even years. That especially pertains to keys of 256 bits or more.
The time it takes to crack really secure encryption makes crackers vulnerable to being stopped and caught. The longer it takes, the greater the risk.
So, modern POS malware bypasses encryption altogether. That's why most POS malware these days are RAM scrapers.
I'll explain how RAM scrapers usually work. Data that's in transit on a network can be encrypted. Data that's on storage media can also be encrypted. But data that's processed through CPUs and RAM is unencrypted. Otherwise, the data can't be used by the computer.
RAM scraper malware collects data directly from a machine's RAM, hence the name. The malware itself will reside in the storage media of individual POS machines and the servers they're connected to, but that malware instructs POS machines to gather sensitive financial data right as it's being computed. Then the malware sends the financial data to the attackers' machines, usually through the retailers' internal networks, through the Internet, and then to the intended destinations.
I'll give a brief overview of some POS RAM scraper malware that's known to exist.
Dexter
In December 2012, IT security firm Seculert and Visa reported their discovery of Dexter. It probably infected the POS systems of many different retailers with Visa accounts, which is likely how they became alerted to the threat. Dexter continues to infect POS systems as of this writing.
BlackPOS
BlackPOS was discovered by Russian computer forensics company Group-IB around March 2013. Also known as Reedum, it's the malware that infected Target's POS system in the last quarter of 2013. Earlier in 2013, it affected cards issued by Citibank, Chase, Union Bank of California, Capital One, and Nordstrom Bank. BlackPOS is being heavily advertised and sold in the underground criminal marketplace.
On January 17, the identity of the developer of BlackPOS was discovered by IntelCrawler, a digital forensics firm. His handle is "ree4," and his real name is Sergey Taraspov. He's a 17-year-old from St. Petersburg, Russia.
He wasn't the party that uploaded BlackPOS malware to Target's POS network, but as he developed and sold the malware, he's subject to the criminal investigation of the Target incident.
VSkimmer
VSkimmer was also discovered by McAfee in February 2013. It works on POS machines that run Microsoft Windows, in coordination with criminal botnets. It's considered to have evolved from Dexter's code. Like BlackPOS, it's still being sold in the underground marketplace. VSkimmer is believed to have originated in Russia.
Trackr
Trackr is also known as Alina. Like VSkimmer, it targets POS machines that run Windows. It makes changes to a registry key in HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It's been known to enter POS systems via HTTP, the main TCP/IP protocol that the web runs through. It's one of the oldest POS RAM scraper malware known, discovered by SophosLabs Canada as
Citadel
Citadel also works in coordination with criminal botnets. It was discovered in early 2013, first targeting banks and online retailers. Later on, a new strain of Citadel was designed to hit the POS machines of brick-and-mortar retailers. Unlike the other POS malware I've mentioned, it's not a RAM scraper. Rather, it gathers customer and information entered in web forms. Its POS variant gathers sensitive data directly from companies that process POS data on behalf of retailers as third parties.
What can retailers do to protect themselves and their customers from future POS malware attacks?
Here's some advice for retailers that I've gathered from both CERT and Visa.
- When POS systems are installed, they usually come with default passwords. The default passwords for specific POS software systems are either known in the criminal underground or are easily cracked. Make sure that unique usernames and passwords are established from the get-go. For added security, change all POS passwords periodically. Make sure the passwords used are highly complex. Dictionary crackers typically have millions of words, so make sure no actual words (in any human language) or proper names are used. Use as many characters as the POS authentication allows, with a combination of upper and lowercase letters, numbers, and symbols.
- Always install the latest updates that your POS software vendor releases, because they're often designed to close recently discovered vulnerabilities.
- In the same vein, make sure that the antivirus software installed on both POS client machines and servers is updated with new malware signatures as frequently as possible.
- Use the best hardware and software firewalls you can afford. Spare no expense in that area because, when it comes to firewalls, you get what you pay for. Make sure those firewalls are configured to close all ports that aren't ever used. Make sure that any ports that need to be open are heavily filtered. Have properly configured firewalls at every point possible; there's no such thing as too many, as long as they're set up so they don't conflict with each other. At the very least, there should be a firewall on both ends of the DMZ (demilitarized zone), on the side of your network that faces the Internet, and between your servers and client machines.
- Make sure you have sysadmins monitoring all logs that are related to your POS systems and networks as frequently as possible. Use the best log analysis software in addition to human beings. Sometimes a security breach can be discovered in a log and isolated before it does any more harm.
- If your POS networks can be completely closed off from the Internet, that will close off the main vector of POS malware. If your POS network can't function properly without some connection to the Internet, watch that connection like a hawk.
- Here's some advice that comes directly from me, not Visa or CERT. Since it seems that most POS malware targets vulnerabilities in Windows, I'd strongly suggest using Linux-based operating systems as an alternative. Run Linux on both your POS servers and the client machines that cashiers use. If you can't find POS software that you like that works directly in Linux, run Windows POS software in Windows virtual machines in Linux. VMWare offers excellent support for corporate clientele, and Oracle VirtualBox is an excellent alternative.
- This tidbit also comes directly from me. For crissakes, don't outsource your IT staff. Hire your IT staff directly and in the countries where your stores are. It seems that only now are banks and other big corporations starting to realize that cheap, offshore technical staff are a poor alternative to in-house employees.
I hope that there can be improved communication and collaboration among retailers, banking institutions, and IT security firms. Cooperation and constant vigilance will help avert future POS threats. Sadly, in my personal experience, many large corporations ignore the advice of IT security experts, because implementing our recommendations cost money. But in time, corporations have got to realize that listening to their techs and paying them well is a worthwhile investment that can prevent them from losing billions from lawsuits, damaged reputations, and lost capital.
References
Target CEO defends 4-day wait to disclose massive data hack http://www.cnbc.com/id/101329300
Hackers Steal Card Data from Neiman Marcus http://krebsonsecurity.com/2014/01/hackers-steal-card-data-from-neiman-marcus/
Retail Breaches Spread. Point of Sale Malware A Suspect. https://securityledger.com/2014/01/retail-breaches-spread-point-of-sale-malware-a-suspect/
US CERT Warns About Point-of-Sale Malware https://securityledger.com/2014/01/us-cert-warns-about-point-of-sale-malware/
Malware Targeting Point of Sale Systems http://www.us-cert.gov/ncas/alerts/TA14-002A
Dexter Malware Targeting Point-of-Sale Systemshttp://usa.visa.com/download/merchants/alert-dexter-122012.pdf
Exclusive: More well-known U.S. retailers victims of cyber attacks http://mobile.reuters.com/article/idUSBREA0B01720140112?irpc=932
Attack Of The RAM Scrapers http://www.darkreading.com/attacks-breaches/attack-of-the-ram-scrapers/222002720
Point-of-sale malware infecting Target found hiding in plain sight http://arstechnica.com/security/2014/01/point-of-sale-malware-infecting-target-found-hiding-in-plain-sight/
Understanding malware targeting Point Of Sale Systems http://labs.bromium.com/2014/01/13/understanding-malware-targeting-point-of-sale-systems/
Russian underground VSkimmer Botnet targeting payment world http://thehackernews.com/2013/03/russian-underground-vskimmer-botnet-hit.html
BlackPOS Malware Linked to Target Breach http://www.tripwire.com/state-of-security/top-security-stories/blackpos-malware-linked-target-breach/
A First Look at the Target Intrusion, Malware http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/
Researchers find new point-of-sale malware called BlackPOS http://www.pcworld.com/article/2032336/researchers-find-new-pointofsale-malware-called-blackpos.html
McAfee warns of malware targeting point-of-sale systems http://www.pcworld.com/article/2031580/mcafee-warns-of-malware-targeting-point-of-sale-systems.html
A look at Point of Sale RAM scraper malware and how it works http://nakedsecurity.sophos.com/2013/07/16/a-look-at-point-of-sale-ram-scraper-malware-and-how-it-works/
Point of sale devices and Canadian banks targeted by Citadel malware variant http://nakedsecurity.sophos.com/2013/01/28/citadel-point-of-sale-banks/
Alina: Casting a Shadow on POS http://blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html
Target Breach: 8 Facts On Memory-Scraping Malware http://www.informationweek.com/security/attacks-and-breaches/target-breach-8-facts-on-memory-scraping-malware/d/d-id/1113440
What should you learn next?
BlackPOS Malware used in TARGET Data Breach developed by 17-year old Russian Hacker http://thehackernews.com/2014/01/BlackPOS-Malware-russian-hacker-Target.html