January 2014

Retailers Hit by Criminals

Retailers Hit by Criminals

US retailer Target announced in January that data such as addresses and phone numbers of more than 70M of its customers had been stolen in the Thanksgiving malware attack.

When the company was first warned in mid December by the Security Services of the attack the company calculated they had lost the card details of 40M customers going back to the Thanksgiving shopping spree when the attack first started.

Investigators had been monitoring overseas suspicious credit card activity and had picked up a common thread with the cards previously used at Target. However it would appear that JP Morgan Chase also detected this fraudulent activity and alerted the credit card payment operators at about the same time.

Apparently the hackers managed to get malware into the Target POS terminals that reported the card details back to a hacked server in the data centre. This malware is referred to as a memory scraper or memory parsing software for which retailers had been warned earlier in 2013 by Visa and Mastercard.

In this case the malware which has been given the name Kaptoxa after a word found in the malware code which is written in Russian. Apparently the word is Russian meaning potato which I understand is underground slang for a credit card.

What the malware is doing is to pick up the card details in plain text before they are enciphered for handling on the local network. The POS then accumulated this data and sent it back to the hacked network server every hour.

Apparently according to iSight Partners a security company employed by the Secret Services to analyse the attacks said the software is well written and covered its tracks (deleting its working files) so that it was not picked up by any malware protection software or analysis of transaction logs.

According to Aviv Raff, the CTO at Seculert which is an Israeli security company that has been analysing the malware found onTarget's systems the criminals waited six days to avoid setting alarms after moving the data from the infected server to a web server that was itself infected with malware, and from there to a server in Russia that served as a proxy to hide the hacker's whereabouts,

Although there have been cases of malware being placed into terminals at the point of manufacture it is more common for the attackers to gain access to the merchant's network and to use the standard tools for connecting with the POS terminals and updating their software, in this case with malware.

We still hear of concerns about the security of financial payment cards but really the terminal has always been the issue. Cards today are economically not viable to attack but the POS terminal is actually more vulnerable today than it was 10 years ago. The problem is inherent to computing technology and relates to any device that a third party can persuade to host their software. The code may be malicious or just erroneous but the implications can be severe.

It is readily apparent that malware may attack any computing device be it a corporate server or a mobile phone and anything in between. Even when the attacker can't insert malware it may be possible to make the computing device misbehave and consequently do damage or reveal sensitive information. However it is readily apparent that if an attacker can get malware into the processing device then they have unrestricted access to the data managed by that device. A POS terminal is the front end processor for credit/debit card data and PINS where used.

It doesn't take any revelations in technology to realise that a smart EMV card cannot be copied as a result of these malware attacks because that would require the attacker to reverse engineer the chip to reveal the secret key used as part of the EMV protocol. As we have said previously these chips are no longer practical to counterfeit.

The problem is that other parts of the payment world can accept credit card numbers given as a phone or internet payment where the secret key in the smart card chip is not used. Many years ago we dedicated our security efforts into making the payment card secure so that you wouldn't rely on the security of the terminal. It seems like only yesterday that we had multiple slots for SAMs (Secure Access Modules) in POS terminals to form the security end point. In fact in some big security schemes SAMs still exist. I expect they will catch up one day.

However the problem is clearly caused because there isn't one standard for how the payment card works and here the payment operators have a problem. How can you make payments taken over the phone or internet secure? Of course it goes without saying that you must ensure a delightful user experience. CAP (Card Authentication Program - calculator type widget) devices can be used for internet banking but paying an on-line merchant is another problem.

Do you actually know anybody that hasn't had at least one fraudulent payment on their credit card? It's only going to get worse because this is the new criminal playground and mobile phones are the new target of hackers.

Dr David Everett, SCN Technical Researcher.





Whitepapers

29/08/2014 Headlines

Repeated Security Failings Lead to GBP 180,000 Fine for Ministry of Justice

The Information Commissioner's Office (ICO) has served a GBP 180,000 penalty on the Ministry of Justice over serious failings in the way prisons in England and .....Read More

SafeCharge Granted VISA Europe Principal Membership Status

SafeCharge, leaders in advanced payment technologies, has been granted principal membership status for merchant acquiring by VISA Europe.

The VISA agreem.....Read More

FIME Global Test Tool Now Offers Comprehensive Secure Element Testing across All Markets

GlobalPlatform has qualified FIME's 'Global' test tool, validating its ability to evaluate the functionality of secure elements (SEs) to support payment, teleco.....Read More

BSI Launches New Kitemark for Secure Digital Transactions

BSI, the business standards company, launches the BSI Kitemark for Secure Digital Transactions. The BSI Kitemark has been developed to help consumers confidentl.....Read More

NEXPERTS Launches Wallegro as Mobile Wallet

Wallegro - a new free app launched by NEXPERTS - allows consumers to use a mobile wallet for personal items such as loyalty cards, coupons, ID cards, important .....Read More

INSIDE Secure Appoints Martin Bergenwall as Head of the Mobile Security Business Division

INSIDE Secure has appointed Martin Bergenwall, currently vice-president of the group's embedded security solutions product line, to the position of head of the .....Read More


Video Interviews

Tim Jones talks on the wealth of networks

Christophe Dolique of Gemplus talks about ·SIM

Dominique Brule of Philips Semiconductors talks about Near Field Communication