Sophos Cloud Optix
The Target data breach story has turned into a bit of a bus: it’s big, has lots of momentum, and three just came along at once.
Here’s where we are now.
Late in December 2013, a breach was noticed and notified by Target.
At that point, it looked as though “only” 40,000,000 payment card customers had been impacted.
Over the second weekend of January 2014, the plot thickened, with a second part of the breach notified by Target.
This announcement added another 70,000,000 potential victims – what Target referred to as “guests,” apparently meaning anyone who had shared personal information with the company, as you might, for example, if you were to enter a competition or request a catalogue.
Unfortunately, that has spread the net of potential victims much more widely and less predictably.
As far as Target is aware, the original 40,000,000 stolen payment card records involve only customers who made an in-store purchase at Target in North America between 27 November 2013 and 15 December 2013.
That’s a lot of people, to be sure, but it’s clear-cut to work out whether you are inside or outside the set of possible victims: no purchase, no breach.
But Target’s “guests,” as you can imagine, cover a much less well-defined set of possible victims.
You’d expect there to be some overlap between customers and guests, so the total number of affected individuals is unlikely to be 40 million plus 70 million.
But even if every customer is also a guest, i.e. there is a total overlap between the databases, the breach would still have touched a minimum of 70 million people.
That’s why we’ve described Target as joining Adobe and Sony in the “100 million plus” club.
Anyway, a third part of the Target story has now emerged, with Target CEO Gregg Steinhafel telling CNBC in an interview that “there was malware installed on our point-of-sale (PoS) registers.”
However, Steinhafel, understandably given that this incident is centre stage in an ongoing criminal investigation, didn’t go into any detail.
We don’t know whether the malware was instrumental to, incidental in, or even unrelated to, the payment card breach.
The best result, ironically, would be for the malware to be found to have been specifially written to commit payment card fraud, and to be entirely responsible for the stolen records.
At least then we’ll be confident that the malware wasn’t there to steal yet more data from yet more victims.
For now, let’s assume that the malware was a specially designed bot, designed to hook together Target’s PoS registers into a botnet, or “robot network”, of data-stealing Trojans under criminal control.
That raises the question: what about PCI-DSS, the Payment Card Industry Data Security Standards?
Surely Target was compliant, and used encryption all the way from its retail store to its central payment processing database, thus thwarting the crooks by feeding them nothing but shredded cabbage from end to end?
The answer to that question is that credit card data isn’t actually encrypted all the time, even on PCI-DSS compliant systems.
Usually, it’s briefly unencrypted inside the PoS terminal itself – the device with the keypad into which you actually insert or swipe your card.
Putting malware into PoS terminal hardware devices is possible, and lets you can skim off payment card data as early in the process as possible.
Back in 2009, for example, crooks in Australia ripped off McDonalds fast-food outlets that way.
They surreptitiously switched out Macca’s official PoS devices for jury-rigged ones.
They would visit a drive-through window, buy food, and the driver would pass the PoS device, installed on the end of a long data cable, to the passenger for “payment”.
The driver would then act as a sort of human shield behind which the passenger could lurk to carry out the substitution.
A reverse swap-out some weeks later allowed the crooks to recover their Trojanised devices, and then to read off a month or more of payment card data and PIN codes from covert storage inside the hacked units.
But that sort of scam is hard to perpetrate on a national scale, especially at in-store sales points.
That’s where so-called RAM scraping malware comes into the picture.
RAM scraping works because payment card data is often also unencrypted in memory (RAM) in the PoS register, albeit briefly.
This happens as the data is transferred from the PoS terminal to the PoS register.
Of course, PoS registers usually run some version of Windows, and are connected together on an enterprise-wide network.
So a RAM scraping botnet can be used to look out for credit-card-like data popping up in memory on an infected computer.
The bot then grabs the data before payment processing has even taken place, and squirrels it out into the hands of the botmasters.
→ If you are interested in learning more about RAM scrapers, take a look at SophosLabs researcher Numaan Huq’s fascinating Naked Security article that investigates the industrialisation of this aspect of card fraud. And watch this space: Chester Wisniewski will be delivering a joint paper on the topic with Numaan at the 2014 RSA security conference in San Francisco in February 2014.
Is it all doom and gloom for Target?
Well, Target is not the only company to suffer a data breach in 2013, so while it’s fair to criticise the company, it would be unfair to single it out.
And it is worth saying “well done” to Target over the words it has chosen to use in confessing its security sins.
You can watch Target CEO Gregg Steinhafel talking to CNBC here, and judge for yourself:
Here’s a transcript of the 55-second clip (Naked Security’s emphasis):
Steinhafel: Well, we're in the middle of a criminal investigation, as you can appreciate, and we can only share so much. But as time goes on, we are going to get down to the bottom of this. We are not going to rest until we understand what happened, and how that happened.
Clearly, we are accountable, and we are responsible. But we're going to come out at the end of this a better company, and we're going to make significant changes.
I mean, that's what you're doing when you go through a period like this. You have to learn from it, and you have to apply those learnings. And we're committed to do that.
Interviewer: What can you share? Was it a point-of-service situation? Was it an outside vendor? What happened?
Steinhafel: We don't know the full extent of what transpired. But what we do know was, there was malware installed on our point-of-sale registers. That much we've established.
We removed that malware so that we could provide a safe and secure shopping environment. This investigation is ongoing, and it's going to take some time before we really understand the full extent of what's happened.
Ummmm, “guests” = customers, period. It has nothing to do with whether info was stored in Target’s system. It has become somewhat commonplace to hear customers referred to in this way by US retailers.
All POS terminals in all stores? That’s a pretty remarkable accomplishment all by itself. I wonder how the POS terminals got access to the other 70 million “guest” records?
Not *all* stores, it seems. (For a start, only North America.) And if you read this and the previous stories, you’d have to assume (and Target seems to be saying) that we are looking at what you might call “breaches within a breach.”
Anyway…we don’t know what that malware was up to. All we know is that when Target jumped out of its skin and started looking for what had happened, it found some.
My guess would be that the crooks didn’t jut sneak into one corner of the network, but had a fair bit of “laterality” (ability to move between different parts of it, like housebreakers going after your document safe, finding your jewellery boxes in another room, and ending up making off with the whole lot).
Lateral, up to a point. We’d have to admit, something on that scale must have involved a central resource getting owned, whether to pull databases off directly or to insert the malware.
Just after Krebs posted, I checked the Wikipedia page (since modified), and the number of Target stores in the US, around 1,800 if I recall correctly, was roughly the same number of stores involved in the breach here. Apparently there was a second breach discovered that involved customers’ email addresses and contact details getting scraped – perhaps from another database on the same server.
All the signs point to the crims pulling the records off a company server.
I’ve worked for a staffing agency where I would go in and update the POS and I could’ve easily download a malicious program. They never did a background check on me either. This goes for a lot of IT staffing companies. Too many stores in different states makes it impossible for them to hire IT staff in house, so they contract it out to these staffing agencies.
Several years ago, I remember in another store (not Target) that they had to reboot a cash register for some reason before I could make a purchase. I was highly amused as I saw a Windows desktop, followed by a splash screen for an anti-virus program, and then it automatically ran the cash register software. I mean, why would a cash register need a virus scanner, right? Well, I guess they do now.
I work as a cashier at a supermarket in the UK and I’ve have to reboot quite a few of the till systems for various reasons (printer paper running out was a fave). The POS application used hasn’t changed in years! The hardware running it has (now i5 3GHz, 8GB RAM, overkill much? from a P4-M 2.4GHz and 512MB RAM) It hasn’t sped up much and it’s still buggy as hell!
Ask Target what they mean by “guest.”
Many stores now are using it to mean “customer” – sometimes, it seems, specifically in-store customer.
I don’t work or shop in Target, so I don’t know their jargon – but I know several American department stores where the meaning is the opposite of what you assume it to mean.
My understanding is that it means someone the company has interacted with, as suggested in the article. They may have visited a store, but needn’t have bought anything.
One of our Facebook-using readers pointed out this article which looks into the “guest” concept in more detail.
This is not hard to figure out. Target refers to all customers as guests.
Since the word “guests” appears to include people who have never bought anything at Target (which would put them outside my definition of customers), and perhaps even people who have never visited a Target store, I suggest that it is is not only hard to figure out, but as good as impossible.
In common English usage, “guest” and “customer” are not synonyms, so it would be very nice – especially given that this is to do with communicating information about a data breach to the world at large – if Target would spare us its internal jargon and speak in plain English instead, that everyone can understand. Guests and customers alike.
s/reatail/retail
Fixed, thanks.
Target also scans your driver’s license if you purchase alcohol there – I wonder if the DL mag stripe data has also been lost. Older licenses may also have SSN still on them.
Mr. Ducklin,
I was at a Target store on 11/30/2013, and I was issued a Red Card debit card. The clerk scanned my blank check for banking information, I entered my DOB and SSN into the system, and viola! My Red Card would arrive within 5 to 7 days.
Obviously, I obtained a new banking debit card and a different Red Card account number since learning of the breach. I’ve added 90 day fraud alerts on my credit report with all three bureaus.
I’ve spoken to Target customer service, and was told that the breach was only for cards swiped at the POS, and that my personal information was not compromised. I am interested to know if what they told me is accurate, especially considering this new information in your article.
Thank you in advance for your anticipated response.
Worried Customer
Right now, I’d say, “You can’t be 100% sure, and neither can Target,” but it seems as though [a] the payment card information stolen via PoS registers was limited to data actually stored on your payment card (which you didn’t have yet :-), and [b] the “guest” data stolen via as yet unstated means wasn’t stolen via PoS registers.
From what I have heard, the stolen data that has turned up in the criminal underground so far seems to be what would be found on the magnetic stripe on a credit or debit card, thus excluding information like DOB and SSN. That lines up with the suggestion that so-called “RAM scraping” malware was how the PoS data was acquired.
Target says it still isn’t sure and doesn’t have all the information it would like to disclose; I’m inclined to believe that, and to accept that if anything more comes out they will tell the world.
Sounds like you have done the right things; I’d recommend: maintain your concern, but give up on the worrying, if you know what I mean 🙂
A lot of POS systems use an embedded Windows XP operating system or similar. It is not much different from your PC at home (with the exception of the specialized hardware locally attached) and is susceptible to the same vulnerabilities as any unpatched or unprotected Windows PC at home.
I find it hard to believe that so many people shopped at Target in less than thee weeks time.
40 million by credit card, then add in the people who paid cash or wrote a check or used a debit card and the number shopping must be approaching 50 million.
That number doesn’t pass the smell test.
If by “smell test” you mean “using the back of an envelope, is this even possible,” then I’d suggest it does pass. In fact, with a bit of rounding, it’s an easy “in the head” calculation…
40M card transactions in about 20 days at about 2000 stores is about 1000 sales per day per store, in the busiest retail period of the year.
It’s my understanding that lots of people in the USA have several cards, and may try one…declined…try another…declined…try a third…approved. That’s three lots of card data for the crooks to harvest – gotta go through PoS terminal -> PoS register -> card authoriser to get declined. So the number of actual purchasers, and purchases, is likely lower than the number of stolen records. (I’m ignoring the four people in the USA who still use cash 🙂
I think the numbers add up pretty well.
(If Target were admitting to a bigger breach that actually happened…now *that* would be a thing…playing UP your insecurity…)
I imagine there are more than four of us who use cash. Almost all my purchases are in cash. I have no credit cards and my debit is usually used for gas purchases so I don’t have to walk my lazy self in the station.
I try to keep on the latest with your newsletter and others. Articles like this tend to make me happy I pay for most things with cash and don’t have to be worried or concerned over breaches like this. I’m not saying that my info can’t be gotten at one way or another but I feel better paying in cash.
The “four who use cash” remark was facetious…sorry about that. In fact, I decided to expunge it, until I spotted your comment referring to it, so I had to put it back into *my* comment 🙂
Betcha the vast majority of purchases were with cards, though.
lol Indeed they are. I have to admit, I’m in a minority now-a-days when it comes to paying for things. Sorry about getting my hackles up over your comment 🙂
Your paranoia is misdirected. Worst case, you are liable for more losses with a debit card, and gas station POSes are just as vulnerable as store POSes:
http://krebsonsecurity.com/tag/gas-station-skimmers/
This is a nice article, but I feel 1 piece of information isn’t accurate. It’s in reference to your comment…
“Usually, it’s briefly unencrypted inside the PoS terminal itself – the device with the keypad into which you actually insert or swipe your card.”
I read this to mean that the PoS terminals are typically the only place cardholder data is unencrypted, and that’s just not true. I would actually argue that MOST of the time the data is in transit, it’s not encrypted. Unless you have installed terminals which have been manufactured in 2011 or later, there is a strong chance credit card data is being transmitted to the processor without any sort of encryption whatsoever. I would say at least 95% of terminals deployed today do not support end to end encryption.
In this case Target themselves admits that there was malware on their PoS registers, but it certainly does not require RAM scraping malware to intercept unencrypted credit card data. This is pure speculation, but one possibility could be the existence of 1 centralized PoS aggregator per store that was compromised and the hacker just sat back and watched the authorization messages flow right into their hands.
Actually, I am differentiating between the “terminal” (the device on a cable with a keypad) and the “register” (the Windows [probably] computer facing the sales clerk).
Since register software is easier to update than the terminal itself – indeed, easy enough in some cases to update that malware can get on there! – encryption between register and the processor is IMO more likely than it is between terminal and register.
Anyway, I’m not saying that the terminal-to-register stage is the *only* place where unencrypted data can be found, but if the increasing prevalence of RAM scraping malware (and its industrialisation by the crooks) suggests that it is the most prevalent and reliable place to grab it.
FWIW, my own initial speculation was that this was a centralised hack, as the hack of the 70,000,000 non-payment-card records seems to have been. The “malware on the registers” admission, however, suggests it wasn’t.
PS. Another “benefit” of RAM scraping malware to the crooks is that if you get the magstripe data in a single block, it is [a] easier to recognise by its internal pattern and [b] you get it all, just like that, without even having to take into account what happens to it next. And if you find a way into one PoS register, you may very well be able to automate your way into most or all of them, so the hack to disseminate the malware widely needn’t be much more complex than infecting a single centralised authorisation server.
The card number is almost certainly tokenized or encrypted before it leaves the register. But, what does it matter at what point it’s encrypted? Target will be using some kind of automated update system to apply patches, etc, to their tens of thousands of registers, so once someone gains access to the software repository, it’s game over, all the way down.
There have even been cases where merchants have bought POS hardware online from Ebay, Alibaba, etc., and received device with malware and skimmers preinstalled at the factory. So, no hardware is safe.
In one famous case (can’t find a Naked Security link) the crooks had a skimmer and GSM modem pre-implanted in the PoS hardware, which was otherwise identical to the unhacked ones, seals and all.
The bank ended up weighing all its devices – the hacked ones were identifiably heavier. First time I’d heard of mass being used as a measure for malware detection 🙂
Hey Duck,
Just received this email from Target. So we now have a better definition of “Guest”. I am going to take this to mean that I visited their website, and may have registered, as I do not have a Target Card, not did I purchase anything during that time frame.
Dear Target Guest,
As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.
I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.
In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:
• Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
• Delete texts immediately from numbers or names you don’t recognize.
• Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.
Target’s email communication regarding this incident will never ask you to provide personal or sensitive information.
Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com/databreach website. If you have further questions, you may call us at 866-852-8680.
Gregg Steinhafel
Chairman, President and CEO
See:
http://nakedsecurity.sophos.com/2014/01/16/target-issues-apology-letter-but-includes-some-awful-security-advice/
typo: at the 2104 RSA security conference
Fixed. Thanks for pointing it out 🙂
Oops. Sorry about that. Those guys are thorough researchers…but *90 years* to finish a malware paper?
(By 2104 we will probably be way ahead of where we are now – almost no-one will still be on XP.)