...Till Malware Shall Part Us Forever
It's a sad story...
Home Depot today admitted 56 million bank cards are at risk after they were used in malware-infected tills. The DIY giant on Thursday revealed that a software nasty infiltrated its PC-powered registers between April and September in the US and Canada. Cards swiped through the compromised machines could be accessed by the …
And probably hadn't had an update or security fix applied since they day they were installed. Which is much more likely to be a problem than the simple fact that they're running XP, which was still a supported OS at the time the malware was alleged to be introduced.
I see I hit a nerve.
And you would be right Phil because security updates can and would break the software.
Now, want to guess the most popular retail checkout software being used? Rhymes with Tomb Raider Lara. Goes by the initials RMS.
Bar and restaurants use a different kind, but they have the same underlying problem. XP. Thank god staff aren't bright enough to pull the hack required.
There needs to be a fine of something like 10% of market cap for shit like this. In this instance that breaks down to only about $220 per card. Oh, that's on top of paying for all the resulting fraudulent charges. It sounds harsh but it's the only way these folks are going to take security seriously.
I have to agree with Elmer, not a fine. The heart of the problem here is that the current form of incorporation protects those who are intentionally making bad decisions from the responsibility of those decisions. If you fine the company, they just jack their prices which only hurts the consumers a second time. Instead, for cases like this were it is obvious that simple precautions could have limited or prevented the breach, each and every person involved in implementing those decisions should be liable for damages to the consumer. And yes, that means from the CEO all the way down to the IT coalface guys like me. Their resources to be exhausted first and only after that do the shareholders start picking up the tab. Even holding the employees accountable first, I think shareholders are still likely to pickup 80% or more of the tab. Also, at some management level responsibility needs to translate to jail time. Definitely for the CEO, CFO, and CIO. Maybe everybody from Program Manager up, maybe it picks up the rung below that.
They can't really jack the prices since they still have to compete with other shops like Lowes. Otherwise we'll see a return of local hardware and lumber stores where breaches of this magnitude are likely to be impossible.
I hesitate to say "when this was all fields" but I grew up being able to go to the local lumber yard and tell Mr. Duncan that my dad needed so many two by four studs and a few pounds of ten penny nails for the barn and while I'll take the nails now would he be kind enough to deliver the studs, oh and please put it on our bill. That doesn't happen in
many places today.
I was recently in Shenzhen in one of the 'dark' buildings
Sat in a room were a bunch of guys around the biggest pile of 'POS' card readers I've seen in a long time ,stripping off the cases and re-programming the firmware
They also had new packaging materials for them
The problem is most MIS departments buy hardware, but have no policy for auditing it, after all how many 'tech' guys actually have the ability to reverse engineer and check such equipment
From Home Depot's press release (https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf):
"The company also has completed a major payment security project that provides enhanced encryption of payment data at point of sale in the company’s U.S. stores, offering significant new protection for customers."
You shouldn't be rolling out encryption after the hack, you should be enhancing your security from the get-go, you should be having regular security testing that results in "Hey idiots, you need to enhance your security in X,Y, and Z " Honestly, there should never be a single review that comes back as "Everything checks out"
What a load of rubbish. I hope every major company gets hacked. Maybe then they will start taking security seriously, or consumers will demand better security
Encryption is expensive.... or at least it's not something that can be rolled out to hundreds or thousands of retail stores across a large geographical location with the snap of your fingers. While many larger retails probably try to do business with a single payment processor, it wouldn't surprise me at all to learn that regulations across various states end up requiring a multi-state retailer to enter into multiple relationships.
And then there is the age-old problem in business: If it's broken, only replace it if fixing it daily becomes more expensive than the teardown and start-over approach. The devil you know and all that. I work at a company with a very substantial online presence, and the back-end is such a nightmare that we've put as much red-tape around it as possible to limit tinkering. However, those entities who were implemented under the "legacy" (most broken) process are going to stay there until the heat death of the sun or someone literally takes a match and gasoline into the datacenter this particular software is running out of. The reason? Because a lot of money was spent to shoehorn some folks into a box even a contortionist would shy away from. The entire thing is balancing on a knife's edge, so no one wants to even breath the word "migration" lest the whole thing topple over and some Very Important People get phone calls.
The encryption thing is no different. Today, payments get processed in a timely manner. The retailer gets their money, the banks get their fees, and the consumer (usually) gets a hassle-free experience to get that new washer and dryer set. Upset that apple cart too much, and the lost revenue from sales may dwarf the hit caused by a PR blackeye.
If they can get the malware onto the tills, they might have had physical access - embed a small phone or wifi device somewhere in the case (data out by sms if required) or just compromise the network at the store level.
If stores like Home Depot had anything approaching a clue, the segmented network approach you describe would have been implemented from day one.
POS terminals with hardened encrypted cable connections routed through secure, heavily isolated, regularly audited data centers and no local storage of CC numbers, pins, IDs or anything else remotely compromising would also be a good start. But try to explain all that to Target shareholders and executives.
Unfortunately, the real world is full of businesses handling confidential financial information on unaudited hardware. Often that hardware is connected to wifi and/or open public networks where it will just be hacked over and over again. To make you feel better, some of these hacked businesses will buy you free identity theft insurance for a year after your bank account has been cleaned out and your credit rating ruined.
It's sad really.
After reading some of the comments here, I too wonder if jailing the clueless CEOS and IT staff that let it happen wouldn't improve things, but I don't actually think so.
Their very cluelessness makes them like a drunk who has been rolled, he shares partial responsibility for his situation, but in the end he was just overpowered by smarter, stronger people.
What might actually work though is this:
Make it illegal for any store to electronically process CC information unless it submits to regular security audits and is certified to use mandated best security practices and architecture.
Liability claims eventually made automobiles much safer, why can't we do the same with frickin' cash registers?
And if stores are still too clueless or poor to manage that, then they would need to pay someone to do if for them or else work with non-electronic means of payment only.
It sounds harsh, but by hitting everyone's bottom line (particularly the credit card companies) we might actually get some results.
<"After reading some of the comments here, I too wonder if jailing the clueless CEOS and IT staff that let it happen wouldn't improve things, but I don't actually think so."
Wanna bet? And it's not the tech staffs' fault. These disasters are the direct fault of the CXOs. It is they and they alone that set budgets and make policy.
The large 24 hour ASDA near me has 16 self service tills.
They leave them unlocked. If you push the handle with the lock on, it clicks and the screen of the machine lifts up, revealing the PC (yes, these are XP based too) and 4 usb slots.
The usb slots are enabled as this is how they reimage them if something goes wrong.
Sadly getting physical acces is nothing like as hard as it should be.
I was discussing this with a friend who fixes cash machines, and he reminded me that almost all the threats he deals with are physical.
The problem with x.25 is that the telcos don't want to support or provide it anymore - just like they're doing away with dvacs for the alarm side - all these systems are being forced to move to ip based communications - along with alarm systems! I'm really starting to get a bad feeling about this direction, as we're moving all our communications into 1 basket - and when it crashes EVERYTHING will go down....
There are some problems with this:
1. The need to connect credit/debit card readers to third-party validation systems
2. The need to link checkout data to third part logistics providers
3. ....and so on.
AIr-gapping is fine if you have a COMPLETE vertically integrated business which does everything.....and there isn't a retail organization in the world which is like that!
Funny that, I seem to be paying more by cash these days.
Not a conscious decision - and often a lot quicker.
You do get some odd looks now and then if it's anything more than about £30.
(at least most DIY tills now don't care which way round the note is presented)
Upvoted, but not entirely true. Counterfeit notes/coins would be the equivalent of malware in the EFTPOS machine.
I found a fake £1 coin in the reject slot of a parking machine the other day. It was clearly a fake but not easy to spot if you're in a shop accepting a handful of change from someone and the queue behind them means you don't have time to check each coin carefully.
Counterfeits aren't quite the same, since it's often possible to pass them on to a person or machine that isn't so picky. Of course that raises an interesting moral question, since people who wouldn't dream of knowingly passing on malware often show no reluctance to circulate a dodgy coin. Plausible deniability, maybe? There's probably a psychology PhD thesis in there somewhere...
Not quite the same but close enough that I can see since a direct comparison isn't entirely possible.
If someone gets a counterfeit note/coin they take a direct loss if they keep it and don't pass it on. Perhaps that explains the lack of reluctance to circulate counterfeits? Malware on the other hand people have no direct benefit/loss in circulating (unless they're the author!) so morals get a louder voice in its propagation. I don't know - but yes it would make for an interesting PhD!
For the avoidance of doubt, the falsie I found was permanently taken out of circulation!
I would say that counterfeited bank notes are a much older form of malware. While they might work for the customer, or even a retailer, they either will eventually be noticed and no credit will be given for the note, or the inflationary impact of those bank notes will hit all of us in the wallet.
There is already concern that state-sponsored (read N. Korea) counterfeiting is sophisticated enough to pass all but the most advanced detection systems. Not too much different from state-sponsored malware, I suppose.
Whenever I go to the local Home Depot, there are always a crowd of illegal aliens standing around outside in the shadows there. It is a crime to hire them. Inside there are these crminal terminals trying to steal our money. Is it possible that these are in any way connected? Is Home Depot profiting in any way from these criminal enterprises?
Biting the hand that feeds IT © 1998–2022