US retailer Target's point-of-sale terminals were infected with malware

The company's CEO confirmed that attackers used malware to steal credit and debit card data from PoS systems

The CEO of retailer Target revealed Saturday in an interview that the company's point-of-sale (PoS) systems were infected with malware, confirming what security experts suspected since the massive data breach was announced in mid-December.

Answering a question about what caused the breach during an interview for CNBC, Target CEO, Gregg Steinhafel, said: "We don't know the full extent of what transpired, but what we do know is that there was malware installed on our point-of-sale registers. That much we've established."

Target originally said that about 40 million credit and debit card accounts may have been impacted by the breach. The company announced on Friday that information like names, email addresses, mailing addresses and phone numbers of an additional 70 million people has also been stolen.

Malware programs designed for PoS systems are commonly referred to as RAM scrapers, because they search the terminal's random access memory (RAM) for transaction data and steal it.

PoS systems are actually computers with peripherals like card readers and keypads attached to them. Many of these systems run a version of Windows Embedded as the OS as well as special cash register software.

Every time people swipe their card at a PoS terminal to authorize a transaction, the data encoded on the card's magnetic stripe -- like the card's number, the cardholder's name, the card's expiration date -- is passed along with the transaction request to the payment application and then to the company's payment processing provider.

While this information is encrypted as it leaves the PoS system and the company's network, there's a period of time when it's stored in the system's RAM in cleartext and can be read by malware installed on the machine, which is what seems to have happened in the Target case.

Such PoS attacks are not new, but their frequency and the interest of cybercriminals in PoS RAM scraping malware has increased during the past year.

At the beginning of December two security companies independently reported new attack campaigns with PoS malware. Target said that the credit and debit card information was stolen from its systems between Nov. 27 and Dec. 15.

Visa issued two security alerts last year, in April and August, warning merchants of attacks using memory-parsing PoS malware.

"Since January 2013, Visa has seen an increase in network intrusions involving retail merchants," Visa said in its August advisory. "Once inside the merchant's network, the hacker will install memory parser malware on the Windows based cash register system in each lane or on the Back-of-the-House (BOH) servers to extract full magnetic stripe data in random access memory (RAM)."

Hackers can break into PoS systems and merchant networks by exploiting various security holes, but a common method is to steal or brute force remote administration credentials. There are many merchants that rely on third-party companies for technical support and those companies frequently use remote access tools, sometimes with easy-to-guess credentials.

Visa's alert contains recommendations for securing both merchant networks and the PoS systems against malware attacks.

"Use two-factor authentication when accessing the payment processing networks," the credit card company company said. "Even if Virtual Private Networking (VPN) is used, it is important that 2-factor authentication be implemented. This will help to mitigate key logger or credential dumping type of attacks."

Another security measure that could prevent RAM scraping attacks is to implement hardware-based end-to-end, or point-to-point, encryption. This would ensure that card data is not exposed in cleartext at any point on its way to the payment processor. However, implementing this technology could involve acquiring and deploying new PoS terminals and card readers, which can be very expensive for a large retailer.

With the information from a card's magnetic stripe, known as track 1 and track 2 data, cybercriminals can effectively clone the card. However, they also need the PIN in order to withdraw money from an ATM or perform fraudulent transactions with a cloned debit card.

In the Target case the PIN number was reportedly encrypted at the keypads using the Triple Data Encryption Standard algorithm (Triple-DES or 3DES), which is commonly used in the payment industry.

"Due to how the encryption process works, Target does not have access to nor does it store the encryption key within our system," Target said on its website. "The PIN information is encrypted within Target's systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the 'key' necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident."

Some security researchers believe that if Target implemented 3DES encryption as mandated by the payment industry's security standards, using brute force methods to recover the PINs is unlikely to succeed, but others remain skeptical.

The matter of PIN decryption has been widely discussed in underground forums and at the beginning of January a cybercriminal posted a request for help to decrypt 50GB of stolen PIN blocks, Andrey Komarov, the CEO of cybercrime intelligence firm IntelCrawler said via email.

The IntelCrawler researchers followed the discussion and determined that some of the cards in a sample set provided by the hacker had been issued by U.S. and Canadian banks. "The recent request by the underground to decrypt PIN data may be coincidental to the Target breach or possibly some of the actual perpetrators floating the sample to see what resources and success the power of the underground has had or could have given the magnitude and value of the Target breach," they said in a blog post.

Join the CSO newsletter!

Error: Please check your email address.

Tags IntelCrawlersecurityvisaAccess control and authenticationencryptionspywaremalwareprivacyfraudTarget

More about CNBCVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place