Target admits “there was malware on our point-of-sale registers”

The Target data breach story has turned into a bit of a bus: it’s big, has lots of momentum, and three just came along at once.

Here’s where we are now.

Late in December 2013, a breach was noticed and notified by Target.

At that point, it looked as though “only” 40,000,000 payment card customers had been impacted.

Over the second weekend of January 2014, the plot thickened, with a second part of the breach notified by Target.

This announcement added another 70,000,000 potential victims – what Target referred to as “guests,” apparently meaning anyone who had shared personal information with the company, as you might, for example, if you were to enter a competition or request a catalogue.

Unfortunately, that has spread the net of potential victims much more widely and less predictably.

As far as Target is aware, the original 40,000,000 stolen payment card records involve only customers who made an in-store purchase at Target in North America between 27 November 2013 and 15 December 2013.

That’s a lot of people, to be sure, but it’s clear-cut to work out whether you are inside or outside the set of possible victims: no purchase, no breach.

But Target’s “guests,” as you can imagine, cover a much less well-defined set of possible victims.

You’d expect there to be some overlap between customers and guests, so the total number of affected individuals is unlikely to be 40 million plus 70 million.

But even if every customer is also a guest, i.e. there is a total overlap between the databases, the breach would still have touched a minimum of 70 million people.

That’s why we’ve described Target as joining Adobe and Sony in the “100 million plus” club.

Anyway, a third part of the Target story has now emerged, with Target CEO Gregg Steinhafel telling CNBC in an interview that “there was malware installed on our point-of-sale (PoS) registers.”

However, Steinhafel, understandably given that this incident is centre stage in an ongoing criminal investigation, didn’t go into any detail.

We don’t know whether the malware was instrumental to, incidental in, or even unrelated to, the payment card breach.

The best result, ironically, would be for the malware to be found to have been specifially written to commit payment card fraud, and to be entirely responsible for the stolen records.

At least then we’ll be confident that the malware wasn’t there to steal yet more data from yet more victims.

For now, let’s assume that the malware was a specially designed bot, designed to hook together Target’s PoS registers into a botnet, or “robot network”, of data-stealing Trojans under criminal control.

That raises the question: what about PCI-DSS, the Payment Card Industry Data Security Standards?

Surely Target was compliant, and used encryption all the way from its retail store to its central payment processing database, thus thwarting the crooks by feeding them nothing but shredded cabbage from end to end?

The answer to that question is that credit card data isn’t actually encrypted all the time, even on PCI-DSS compliant systems.

Usually, it’s briefly unencrypted inside the PoS terminal itself – the device with the keypad into which you actually insert or swipe your card.

Putting malware into PoS terminal hardware devices is possible, and lets you can skim off payment card data as early in the process as possible.

Back in 2009, for example, crooks in Australia ripped off McDonalds fast-food outlets that way.

They surreptitiously switched out Macca’s official PoS devices for jury-rigged ones.

They would visit a drive-through window, buy food, and the driver would pass the PoS device, installed on the end of a long data cable, to the passenger for “payment”.

The driver would then act as a sort of human shield behind which the passenger could lurk to carry out the substitution.

A reverse swap-out some weeks later allowed the crooks to recover their Trojanised devices, and then to read off a month or more of payment card data and PIN codes from covert storage inside the hacked units.

But that sort of scam is hard to perpetrate on a national scale, especially at in-store sales points.

That’s where so-called RAM scraping malware comes into the picture.

RAM scraping works because payment card data is often also unencrypted in memory (RAM) in the PoS register, albeit briefly.

This happens as the data is transferred from the PoS terminal to the PoS register.

Of course, PoS registers usually run some version of Windows, and are connected together on an enterprise-wide network.

So a RAM scraping botnet can be used to look out for credit-card-like data popping up in memory on an infected computer.

The bot then grabs the data before payment processing has even taken place, and squirrels it out into the hands of the botmasters.

→ If you are interested in learning more about RAM scrapers, take a look at SophosLabs researcher Numaan Huq’s fascinating Naked Security article that investigates the industrialisation of this aspect of card fraud. And watch this space: Chester Wisniewski will be delivering a joint paper on the topic with Numaan at the 2014 RSA security conference in San Francisco in February 2014.

Is it all doom and gloom for Target?

Well, Target is not the only company to suffer a data breach in 2013, so while it’s fair to criticise the company, it would be unfair to single it out.

And it is worth saying “well done” to Target over the words it has chosen to use in confessing its security sins.

You can watch Target CEO Gregg Steinhafel talking to CNBC here, and judge for yourself:

Click to watch the CNBC video...

Here’s a transcript of the 55-second clip (Naked Security’s emphasis):

Steinhafel: Well, we're in the middle of a criminal investigation, as you can appreciate, and we can only share so much. But as time goes on, we are going to get down to the bottom of this. We are not going to rest until we understand what happened, and how that happened.

Clearly, we are accountable, and we are responsible. But we're going to come out at the end of this a better company, and we're going to make significant changes.

I mean, that's what you're doing when you go through a period like this. You have to learn from it, and you have to apply those learnings. And we're committed to do that.

Interviewer: What can you share? Was it a point-of-service situation? Was it an outside vendor? What happened?

Steinhafel: We don't know the full extent of what transpired. But what we do know was, there was malware installed on our point-of-sale registers. That much we've established.

We removed that malware so that we could provide a safe and secure shopping environment. This investigation is ongoing, and it's going to take some time before we really understand the full extent of what's happened.

Click to learn more about RAM scrapers...