Target credit card hack much worse than originally thought

The hackers who busted into the credit card system for Target stores hit a thousand other businesses too, in an online crime spree big enough to get the Department of Homeland Security involved.  The New York Times reports that DHS issued an advisory concerning the havoc wrought by the “Backoff” malware package on Friday:

The attacks were much more pervasive than previously reported, the advisory said, and hackers were pilfering the data of millions of payment cards from American consumers without companies knowing about it. The breadth of the breaches, once considered limited to a handful of businesses, underscored the vulnerability of payment systems widely used by retail stores across the country.

On July 31, Homeland Security, along with the Secret Service, the National Cybersecurity and Communications Integration Center and their partners in the security industry, warned companies to check their in-store cash register systems for a malware package that security experts called Backoff after a word that appeared in its code. Until that point, Backoff malware and variations of it were undetectable by antivirus products.

Since then, seven companies that sell and manage in-store cash register systems have confirmed to government officials that they each had multiple clients affected, the government said Friday. Some of those clients, like UPS and Supervalu, have stepped forward, but most have not.

This is a recurring problem with large-scale hacker attacks on businesses, and government agencies: the victims are reluctant to make the details known to the public, fearing the immense damage they would suffer from the loss of user confidence.  

The opportunity to pull off these massive, stealthy credit-card heists is the magnetic stripe technology commonly used on credit cards.  A scramble to devise a more secure system of card-swiping is under way:

The Target breach exposed problems with the magnetic stripes on credit cards. Since then, banks and companies have taken a renewed interest in a chip-based smart card standard known as E.M.V., short for Europay-MasterCard-Visa, the technology’s first backers. Credit card companies have set an October 2015 deadline for American retailers to upgrade their payment systems.

“The weakness is the magnetic stripe,” said Avivah Litan, a security analyst for Gartner Research. “I can buy a mag stripe reader on eBay and easily read all the data from your credit card. It’s an antiquated technology from the ’60s.”

E.M.V. makes counterfeiting far more difficult than magnetic stripe cards, but analysts say they believe that most retailers will not meet the October 2015 deadline because of the cost to upgrade their terminals — from $500 to $1,000 per terminal, according to Javelin Strategy & Research.

With cash register malware rampant, however, they may have no choice.

Another problem highlighted by the Homeland Security report is that many of the big online retailers don’t employ lockout systems to thwart multiple failed login attempts.  A truly secure system will shut down further login efforts after a certain amount of failed attempts using the same user name, or emanating from the same Internet address.  Strangely enough, the companies targeted by hackers in these big heists don’t appear to have such protection, allowing the thieves to simply blast away at their corporate networks with bots that generate random user names and passwords, until one of the thousands or millions of break-in attempts succeeds.  

According to DHS, these targeted networks also don’t have very strong password requirements, they don’t fully encrypt all of the data at every step of a credit-card transaction, and they’re not firewalling cash registers from the big store and corporate networks – a structural flaw that allows hackers to feast on huge amounts of consumer data from multiple locations after cracking a single corporate network.  Another tip offered to retailers was scanning store networks to look for blatantly weird Internet activity, such as “a cash register in a UPS Store in Tennessee communicating with a server in Russia.”

Those are some truly bizarre security flaws – I can hardly believe a company of any size in 2014 would not already be taking most of the suggestions made in the Homeland Security report.  Target has already paid a stiff price for the data breach it suffered, posting some woeful performance numbers (a 62 percent drop in earnings for the second quarter? Holy crap…  Say, how’s everyone enjoying that “Obama recovery?”) which are blamed, in part, on an enduring loss of consumer confidence following the data breach last Christmas.  They’re actually worried about “training customers to expect lower prices” with all the big discounts they’re using to lure warm bodies into their stores; their pricing structure might slowly mutate into something that cannot support their business model. 

Whatever good online and point-of-sale security costs, retail giants, pay it.  It’s money well spent.


Please let us know if you're having issues with commenting.