backtop


Print 48 comment(s) - last by NaughtyGeek.. on Jan 27 at 12:16 PM

The FBI expects more to come as the software is affordable and easily available

The U.S. Federal Bureau of Investigation (FBI) is warning retailers that the recent security breach against Target's credit systems was not a one-time deal, and that they should remain aware of their own software in an effort to ward off similar attacks. 

According to Reuters, the FBI sent a confidential, three-page report out to retailers to clue them in on the risks of memory-parsing malware in point-of-sale (POS) systems. The report, dated January 17, is called "Recent Cyber Intrusion Events Directed Toward Retail Firms."

Memory-parsing software is also known as a "RAM scraping." It occurs during a normal retail process, where a customer swipes a credit or debit card, the POS terminal grabs the transaction data from the magnetic stripe and transfers it to the payment processing provider. Even though data is encrypted during the process, RAM scrapers have found a very small window where the information appears in plain text while in the computer's live memory. At that point, the information is extracted and either used or sold for profit. 

The FBI wants retailers to know that they could easily experience the kind of cyber attack that Target endured because memory-parsing malware is affordable, accessible in underground forums and promises huge profits for the hackers. 


 
The FBI report said that many of the POS malware cases it has seen involve small-to-mid sized local or regional businesses, since they can't afford the kind of security tools that major retailers can. The estimated losses from these cases range from tens of thousands of dollars to millions of dollars.

While RAM scraping is not a new thing, the cyber attack against Target during the holiday season has drawn more attention to it. Target's breach ran from November 27 through December 15, where customer information like their names, card numbers, expiration dates and CVV verification codes were compromised. Also, the breach occurred in nearly all Target stores across the U.S. in-store, not online. 

Original reports said the breach affected 40 million customers, but it was later found that it was actually 70 million customers

Target wasn't the only retailer to get hit last year. Neiman Marcus said about 1.1 million customer cards were exposed by a data breach from July 16 to October 30 last year.

"We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it," said the FBI report.

Source: Reuters



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Must come up with a better way...
By techxx on 1/24/2014 11:24:59 AM , Rating: 2
Card swiping needs to go away or become safer. Anxious to see what mobile purchasing will provide in the future.




RE: Must come up with a better way...
By ClownPuncher on 1/24/2014 1:10:09 PM , Rating: 3
You can use cash if you're unsure about security.

Hopefully nobody vomits a rebuttal about getting robbed or mugged.


RE: Must come up with a better way...
By inighthawki on 1/24/2014 2:05:45 PM , Rating: 2
What if you get robbed or mugged?


By ClownPuncher on 1/24/2014 2:36:11 PM , Rating: 5
Then you shouldn't dress so seductively.


RE: Must come up with a better way...
By marvdmartian on 1/27/2014 9:32:10 AM , Rating: 2
Good reason to support concealed carry. ;)


By Dukeajuke on 1/27/2014 11:07:49 AM , Rating: 2
Yep. I personally don't leave the house until I strap on a couple hand guns, at least 2 concussion nades, a ninja sword, and spray bottle full or battery acid. You just can't be too careful these days..


RE: Must come up with a better way...
By Solandri on 1/24/2014 2:20:31 PM , Rating: 4
Make the credit card companies liable for fraud and you will see good solutions within a few years.

The problem right now is that the credit card companies have made the merchants liable for fraud. The merchant has no leverage to improve the inherent security of credit card transactions. Heck, most don't even know how it works - it's a magic black box to them. Consequently we have seen no improvements to credit card security.

Any time someone is able to reap the profits from a good or service while pushing the costs onto someone else, market forces will usually fail to arrive at an optimal solution. You have to be sure costs and benefits remain coupled in order for the market to work.


RE: Must come up with a better way...
By lagomorpha on 1/24/2014 2:42:08 PM , Rating: 5
quote:
and you will see good solutions within a few years.


I guess you could have a credit card with a chip in it like a smart card that stores the private key internally and can never be removed from the card. Then instead of transmitting the card number itself, the credit card company sends a random number to the card which signs it with its internal private key. Then the credit card company gets the signature back and when decrypted with the public key it matches what it sent. That way you can have the card prove it is who it says it is without actually storing the actual card number anywhere outside the card itself. I'm sorry if that was completely incoherent, it's Friday afternoon and I'm tired.

What I mean to say is this is not something that, "someone will invent a solution for in a few years", a solution has been around for years but people are too lazy to implement it.

http://en.wikipedia.org/wiki/Smart_card#Financial


RE: Must come up with a better way...
By NellyFromMA on 1/24/2014 3:22:15 PM , Rating: 2
All communications-based systems can be hacked and for something as large a scale as international payments processing the encryption would have to be several magnitudes more secure than what we see common place today in any large-scale consumer usage. The backend services to offer this strength of encryption likely wouldn't scale out to the actual scale credit/debit transactions globally due to cost. Top-end encryption is much more expensive to provide when you want to do it concurrently and low-end encryption is easy to reverse.

I could definitely see banks and/or credit card providers offering (read: screwing) you "secure" payment options for a premium to the end user.

Of course, you could forgo convenience and just pay in cash.


RE: Must come up with a better way...
By lagomorpha on 1/24/2014 4:41:43 PM , Rating: 3
This isn't the dark ages, extremely strong (read: unbreakable unless the NSA has sabotaged your RNG) encryption doesn't take a huge amount of processing power compared to what is readily available today.

It would require replacing a lot of hardware that's been around since the 80s and that is the expense that people are too cheap to sign off on.

Also there's a fairly large difference between "can theoretically be hacked" and "has the number printed in plain sight on the front of the card".


RE: Must come up with a better way...
By Roffles on 1/24/2014 9:07:36 PM , Rating: 3
It really is amazing when you think about it:

The 16 digit number clearly printed on the face of a Visa card is what's used to access your line of credit... which in turn links to your FICO score... which in turn impacts your ability to enjoy economic prosperity within any given 4 to 7-year period under the circumstances of a single hardship for the rest of your life. It really boggles the mind.

My step-mom continuously had her credit card information stolen over the summer, as well as other times in the past, often having the info stolen on a replacement card before she had a chance to use it for the first time. I would try to advise her on strong passwords and fraud protection, but it was over her head. A wealthy retired women who played by their rules and never missed a bill payment in her life... now has a 650 FICO score and must use my father's credit to get good rates. I shudder to think what sort of identity-theft related garbage is lurking on her full credit report for which she doesn't know how to go about removing. It's sad that this system we have in place is broken and skewed in favor of criminals.



By Jeffk464 on 1/25/2014 11:23:14 AM , Rating: 2
You could always freeze your credit.


RE: Must come up with a better way...
By drycrust3 on 1/26/2014 11:34:11 AM , Rating: 2
quote:
often having the info stolen on a replacement card before she had a chance to use it for the first time

I don't understand how a person's credit card information can be stolen before they've received it. Does someone know her login and password to her bank account information via the internet?
I do think her bank should have at least spent some time checking into how this fraud is occurring because it sounds suspiciously like someone is accessing her account.


By mechBgon on 1/26/2014 8:09:52 PM , Rating: 2
quote:
I don't understand how a person's credit card information can be stolen before they've received it.

When one of my cards expired, I received the new one, with a new number and CVV code, but I never called to activate the new card, let alone actually use it. But several months later, this new unactivated card's number was used fraudulently to buy pr0n. How?

Capital One had no answers. I cancelled the account. This was in roughly the mid-2000s.

On the main topic, I have no problem believing that the bad guys are just warming up, now that they've seen what kind of payout the Target compromise had.


RE: Must come up with a better way...
By Piiman on 1/25/2014 8:56:05 AM , Rating: 1
" The merchant has no leverage to improve the inherent security of credit card transactions. Heck, most don't even know how it works - it's a magic black box to them. " its

apparent you don't know how it works. Retailer pick the hardware they use the Payment card industry sets the standards for encryption etc etc but the retail DO know how it works and DO have a say in what they use to process cards. It looks like they need to encrpt card info as soon as it is swiped now so you can expect that to happen at some point but since that is a big cost for retailers it won't happen over night.


By Solandri on 1/26/2014 3:18:22 AM , Rating: 2
I'm not saying merchants shouldn't have to use the security measures that are available to them.

I'm saying making a fraudulent transaction shouldn't be as simple as lifting a 16 digit number plus some ancillary personal info. It's 2014. I can send a letter to my friend, encrypted such that he knows with certainty that I wrote it, and I know with certainty that only he can read it. The same thing needs to be done to replace credit card numbers.

e.g. Garage door openers ran into the same problem in the 1990s. Radio receivers that could record the code to open a garage door became widespread. It was trivial to record someone's opener, then play it back at a later time to open their garage door. In response, manufacturers switch to rolling codes. The opener and receiver both have the same mathematical algorithm, and the code rolls over to the subsequent code generated by the algorithm after each successful use.

Implement something like that in a credit card and stealing the number used for a purchase becomes useless - that number will never work again. But the credit card companies have no interest in implementing something like that because fraud doesn't cost them anything. The merchant can't implement it because this is something that needs to happen between the cardholder and the credit card processor.


RE: Must come up with a better way...
By ProfFarnsworth on 1/25/2014 6:18:41 PM , Rating: 2
Ummmm. It isn't the card companies that are at fault if the merchant cannot secure it's info. There are so many regulations at play regarding how credit cards and merchants must continue with each transactions.

All processes go like this:
customer>merchant>payment processing>Card Companies>Bank
then back to customer. One large loop. Every system in that loop has a system of checks and balances that need to be worked out. If the merchant fails to verify the customer and gets passed on, then they are at fault. If the processing company doesn't verify the transaction with the card issuer and bank, then they are at fault. Majority of the time banks and card companies cannot be at fault because they are not processing payment but accepting the transaction provided by the processor themselves. So all in all, the card companies set the ground rules and the last middleman before it reaches the bank.

People really need to understand that IT ISN'T YOUR BANK THAT ALLOWED THE CHARGES. It was the info that the merchant submitted and what the banks got.

How do I kow all this? I work for one and not at the branch level, more like behind the scenes.


By Solandri on 1/26/2014 3:24:09 AM , Rating: 2
quote:
Ummmm. It isn't the card companies that are at fault if the merchant cannot secure it's info. There are so many regulations at play regarding how credit cards and merchants must continue with each transactions.

Sigh. So you think the system isn't at fault if you're only allowed to have a 4-digit password, and someone manages to figure out your password?

Securing the transmission with 1024-bit encryption is pointless when the data you're protecting is the same 16 digits used for every transaction. It's like sending a secret message by armored car, but writing it in plain english and carrying it around in your pocket so that anyone who peeks when you pull it out can read it. The merchants can't fix this; it's the banks and credit card companies which need to fix it.


RE: Must come up with a better way...
By AntiM on 1/24/2014 1:55:40 PM , Rating: 2
People buying online should get a single-use CC. Bank of America has a program called "ShopSafe". It will issue a temporary 16-digit account number, with expiration date and security code.
That might solve some of the problems.
I never use a credit card at a restaurant unless I hand it directly to the cashier myself. I always use cash at the gas station. No system will ever be 100% secure.


RE: Must come up with a better way...
By Owls on 1/24/2014 2:01:57 PM , Rating: 2
It's been months and no one has been caught. If this doesn't prove that NSA's spying is a useless farce I don't know what is


By Piiman on 1/25/2014 8:59:54 AM , Rating: 2
WTF?? does this have to do with NSA meta data gathering?
NOTHING


RE: Must come up with a better way...
By NellyFromMA on 1/24/2014 3:15:05 PM , Rating: 2
If you think dumb-cards are unsafe and vulnerable, just think of how vulnerable the openly programmable version is... You've just introduced a new surface area to be intruded on...

Mobile phone, particularly Android, are less secure than PCs even, so mobile purchasing hardly seems to be the "secure" way to pay.

The secure solution likely would involve a proprietary closed-wall device that somehow could not be jail-broken or ROM flashed. Anything short of that is frankly less secure than a "dumb" card in its usage today.


By lagomorpha on 1/24/2014 3:21:38 PM , Rating: 2
quote:
The secure solution likely would involve a proprietary closed-wall device that somehow could not be jail-broken or ROM flashed. Anything short of that is frankly less secure than a "dumb" card in its usage today.


Very true. A separate chip in your phone that performs the functions of a smart card so that it's impossible for the phone's OS/main memory to directly know the number would probably work, at a very slight cost/size penalty.


RE: Must come up with a better way...
By Jeffk464 on 1/25/2014 11:25:24 AM , Rating: 2
Yup, I do not trust smart phones for banking at all as of yet. Really I don't trust windows but I'm kind of stuck right now.


By ProfFarnsworth on 1/25/2014 6:24:15 PM , Rating: 2
Protip: Most "hackers" will not go after an individual pc. They will other hand be very friendly over the phone with you in order to get your info.

The most easiest scam I have heard so far was scammers out in india wll call random people and claim to be from microsoft. They will tell the caller that their PC is sending microsoft viruses or that they recieved info that their computer needs fixing. Next thing the victims know is that they now have access to their computers at anytime and nnow is charging $250+ for so called "repairs"

This is how alot of fraud happens because alot of the time people willingly give out their bank info with no hesitation. It's really sad.


RE: Must come up with a better way...
By p05esto on 1/26/2014 3:27:46 PM , Rating: 2
I would be a lot more worried about cell phones than a physical and non-editable credit card. All computers and cell phones can be hacked... easy. Then all thief has to do is grab your cell phone, install the right type of malware for your phone and go on a little spending spree. I think cell phones would be far more dangerous... security wise.


By NaughtyGeek on 1/27/2014 12:07:18 PM , Rating: 2
Hmm, getting someone's phone, breaking the password(if there is one), then developing software to break whatever encryption is used for said cell phones payment method prior to someone being able to report said phone stolen and the phone being updated OTA rendering the payment method useless is easier than swiping someones credit card and using it?


Security measures.
By ishnefin on 1/24/2014 11:59:00 AM , Rating: 2
Need to do away with all cards. I work in a large hospital. When we sign out narcotics or medicines for patients, we scan our finger print and enter a PIN or password. Why could this not be implemented for credit or debits cards. you could scan your finger, then enter a specific code for that particular card and a PIN.




RE: Security measures.
By artemicion on 1/24/2014 12:45:10 PM , Rating: 2
Fingerprints are easier to steal than credit card numbers (hackers could just pull them off your car door). Both fingerprints and PIN/passwords would be susceptible to the same RAM scraping technique used to steal the credit cards. So your hospital's system really isn't any more secure than the current credit card system. If anything, I'd argue that it's less secure, but probably sufficient for the hospital setting because there's no black market for hospital pharmacy security information.


RE: Security measures.
By Piiman on 1/25/2014 9:14:41 AM , Rating: 2
Well its not going to look good pulling out a lifted print and trying to use it a POS terminal :-)


RE: Security measures.
By Jeffk464 on 1/25/2014 11:30:38 AM , Rating: 2
It just makes sense to have more than one hindrance. Say you have to have the physical credit card, eye scan, a password, and then a 4 digit code texted to your phone. Really you can just keep adding things and make it pretty tough to beat if anyone was interested. By the way I think having a code texted to you phone is about the slickest security.


RE: Security measures.
By kmmatney on 1/25/2014 8:48:00 PM , Rating: 2
For someone in Russia, a fingerprint will be a lot harder to steal than a credit card number.


RE: Security measures.
By Ahnilated on 1/24/2014 1:57:12 PM , Rating: 2
Because fingerprints are also private data and no one is getting mine without a valid warrant or me being dead.


RE: Security measures.
By Divide Overflow on 1/24/2014 3:00:25 PM , Rating: 2
Your fingerprints are pretty easy to obtain, even without your consent or knowledge.


RE: Security measures.
By lagomorpha on 1/24/2014 3:13:24 PM , Rating: 2
quote:
Your fingerprints are pretty easy to obtain, even without your consent or knowledge.


And also rather difficult to have reset once they've been compromised.


RE: Security measures.
By Piiman on 1/25/2014 9:13:09 AM , Rating: 2
This attack happens after all your security and before its encrypted so in your example you haven't solved anything.


Canada cc protection policy
By Swuycheck on 1/25/2014 9:58:25 AM , Rating: 2
Just went to Canada and had a hard time using my cc due to not having a card with a "chip" and linked password. It got to the point that anytime I handed over my card I had to say it was a card from the US and it didn't have a chip/password. Anyone know if this type of system would help curtail the issues listed in the article? Or would the passwords also be available to see via the malware infected computer? All the Canadian retailers said they loved the system when I asked about it and said that fraud has dropped significantly. Didn't ever research their statements...




By Swuycheck on 1/25/2014 10:06:07 AM , Rating: 2
http://www.buffalonews.com/business/behind-the-cre...

Some info about the chip/pin security system in place in Canada and other parts of the world. Seems interesting. 2015 is listed as a start date to require pos systems to have pin capable readers.


RE: Canada cc protection policy
By Swuycheck on 1/25/2014 10:09:20 AM , Rating: 2
quote:
TextIn fact, even if chip cards were in use here, it wouldn’t have prevented Target’s massive data breach, since the data was stolen from Target’s giant database of electronic records, rather than at its point-of-sale terminals. Still, the Target debacle has stirred American consumers’ demand for the more secure chip cards.


RE: Canada cc protection policy
By kmmatney on 1/25/2014 8:49:49 PM , Rating: 2
It would be a help, as you can change your pin right away.


Sounds like it's easy to fix
By corduroygt on 1/24/2014 10:44:38 PM , Rating: 2
Use Linux or iPad based POS systems, and they can't be infected by malware, at least not nearly as easily as windows POS systems.

wouldn't that solve the problem or am I missing something here?




RE: Sounds like it's easy to fix
By Piiman on 1/25/2014 9:20:00 AM , Rating: 2
WRONG and NO since.


By NaughtyGeek on 1/27/2014 12:16:34 PM , Rating: 2
Lmao, funniest thing I've read all week. You're truly stating that compromising a Windows machine is easier than a Linux or OSx machine? You obviously are not aware that the prevalence of windows v Linux/OSx viruses/malware is a product of installed user base, not ease of compromise. I'm quite certain that a password protected iPad can be accessed much quicker and easier than a password protected Windows 7 machine, just sayin.

Or, perhaps, my sarcasm detector is in need of recalibration.


Needs clarification
By amanojaku on 1/24/2014 11:57:05 AM , Rating: 3
quote:
Original reports said the breach affected 40 million customers, but it was later found that it was actually 70 million customers.
This isn't exactly what happened. There were at least two types of breaches.

One affected the POS systems and obtained the credit and debit swipes of 40 million shoppers during the holiday shopping period. These are the systems that were RAM-scrapped.

The second was an internal database breach, where the personal details of 70 million customers (active or not, possibly dating back to the first one on record) were stolen. The means were not revealed at the time I last checked.

Since the customer database likely contained a portion of the 40 million shoppers, and probably had duplicate or invalid entries, the number affected could be as low as 70 million, and as high as 110 million.

http://finance.yahoo.com/news/im-still-shaken-targ...




RE: Needs clarification
By TheDoc9 on 1/27/2014 10:32:37 AM , Rating: 2
This is what's interesting, there's something to this story that isn't being readily reported on.

How did they get access to the internal db? How did this malware get on so many pos machines? The answers to these questions will be interesting...


Not that hard
By mmc4587 on 1/25/2014 2:08:58 AM , Rating: 2
It can't be that hard to fix. Yes, I understand they need access to the net to conduct transactions. However, I fail to see why the software on a credit card scanner is not hard-coded and thus impossible to install malicious code onto. You could even design the ROM code such that it uses all of the available RAM... there are so many potential solutions...




RE: Not that hard
By Piiman on 1/25/2014 9:25:16 AM , Rating: 1
I see you have no idea what "hard coding" is and what would using all the memory do other than give you an out of memory error?


What security does Target use?
By LiamC on 1/25/2014 12:25:00 AM , Rating: 2
..."involve small-to-mid sized local or regional businesses, since they can't afford the kind of security tools that major retailers can."...

So Target is an SME?

/sarcasm people




"Well, we didn't have anyone in line that got shot waiting for our system." -- Nintendo of America Vice President Perrin Kaplan














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki