CrossCheck Blog

CrossCheck Blog

Check Processing & Payments Information

Data Security Threats: Learning from Big Box Retailers - Part 1

Posted by Tom Lombardo | Tue, Oct 07, 2014 @ 10:09 AM

check guarantee and verificationWhen an independent company with fewer than 100 employees comes under a cyber attack like the one that recently hit Target and Home Depot, it can expect to lose about $3.5 million just to deal with the situation – and that does not include compensation for lost opportunities or for the extreme psychological toll such an experience would certainly exact.

Believing that this risk is remote dramatically compounds it because 31% of all cyber attacks target businesses with fewer than 250 employees.

So how do you protect yourself?

Considering the fact that the U.S. military declared cyberspace a new theater of war in 2011 and that the Defense Advanced Research Projects Agency (DARPA), devotes vast resources to studying and tracking the threat, and since the hyper-secure multinational financial institution JPMorgan Chase just lost the user data of 7 million businesses and 76 million individuals to hackers, those in search of simple answers may be disappointed.

Better to understand the strange and nefarious landscape in its entirety so you can make informed choices regarding your payment options and payment policies.

It All Began at MIT

“Hacking” originally arose from the well-established Massachusetts Institute of Technology tradition of pulling off outrageous pranks. Excellent pranks were funny, creative, exceedingly difficult and ultimately harmless. You might, for example, take over the wiring of the tallest building in Cambridge to turn its gigantic grid of windows into a fully functional game of Tetris. And if you did, you would prove two things: first, that it was possible to take over a system designed to do one thing and make it do something else entirely; and second, that you were king of the nerds. (Some professors would even give you extra credit for a really good prank.)

check guarantee security threatAn element of that free spirit still exists in the hacking community. Hackers like to think of themselves as expert programmers, and when most of them find weaknesses in government or corporate networks, they report them. Quite often they get paid hefty five-figure bounties for the information.

Every August they hold a conference in Las Vegas called DefCon, where high ranking members of the United States military and intelligence communities show up (wearing jeans and a t-shirt, as did NSA Director Keith Alexander at DefCon 2012) to try to woo them into the military – a ploy that often works.

Follow the Money

Sadly, many hackers cannot be motivated by anything other than money, and those are the ones threatening your business. To understand what hacking means to you, it helps to look closely at what happened to Target, Home Depot, Supervalu and others, especially since three smaller businesses – as yet unidentified in the press – were also hacked at the same time and in the same way.

Huge retailers use a credit card payment system structurally similar to yours. There’s a card reader at the point of sale. The card’s data is transmitted to a system that routes the payment request to the correct bank. And then the bank replies, either to conclude it or to decline it.

check guarantee data security threatThe hacker wants the data from the magnetic strip on a legitimate credit or debit card. That’s the “product” he will sell. To get it, a hacker’s understanding of this process must go into considerably deeper detail.

See if you can find the weak link in this series of events. Remember that the whole process takes place inside a highly secure system:

First the data goes from the magnetic strip into the flash memory inside the card reader. From there it travels through a wire to the payment processing software in the POS computer, which combines it with a transaction data, unique identification codes, and authentication codes.

This set of data travels through a cable to the system that will route it to the correct bank. The vast majority of businesses use a third party processor to take care of this but most large retailers don’t, having taken that function into their own network.

Either way, when this data hits the routing system it is encrypted. The system and the bank also share a “handshake” which makes their communication indecipherable. From the moment the data hits the routing system it becomes useless to the hacker.

In this series of data transfers there is only one single moment – a fraction of an instant – where the data is not encrypted and has also not entered a hardened, secure part of the system. Can you guess when that is?

Here’s a hint: the malware behind all the recent attacks is called “BlackPOS.”

Released in March of 2013, BlackPOS is a “RAM-scraper.” It targets the fraction of an instant when the data moves from the card into the flash memory of the card reader. The only moment vulnerable to attack is literally the moment the customer swipes the card through the machine, so that is the moment the hackers used.

The crime is committed before the customer gets her card back into her wallet.

What does one weak link in an otherwise hardened chain cost? At Target, it cost $148 billion, a significant portion of their market capitalization, and both the CEO and the CIO were fired. In other words, it costs quite a lot.

Yeah, But How…

But how did BlackPOS get into the POS system in the first place? 

That’s what’s under investigation, and for obvious reasons the authorities are not providing details. Conjecture in the media focuses on employees – executives usually – who have the ability to remotely login to corporate systems. A hacker might use a “phishing” attack to trick that person into doing something that would allow the hacker to steal their login credentials. But the exact process, if known, is not public knowledge.

check guarantee fraud threatMore is known about BlackPOS itself. Turning a building into a game of Tetris is kid’s stuff compared to this – BlackPOS is like turning a building into an airplane. 

Once inside the POS system it installs itself on every POS terminal it can find. It records every swipe by writing the data into a text file hidden somewhere else on the network. When activity on the terminal ceases, it waits seven hours. It has a built-in FTP client and a built-in email program, so it can then either FTP the data to an outside server where the hacker can get it, or it can email the text file to the hacker as an attachment.

Is Anyone Watching?

Shouldn’t that last step set off an alarm? How can malware transfer anything from inside the network to the outside without tripping a security precaution?

It can’t. In fact, six months before the attack Target had installed a $1.6 million malware detection system that worked perfectly. The moment BlackPOS began exporting files via email and FTP, the system began sending multiple alerts to its human operators.

Who ignored them, or whose managers ignored them, perhaps explaining the personnel changes Target made as a result.

Making this situation even more frustrating is the fact that credit card processing companies require their clients, including Target, to comply with elaborate security measures and to have that compliance verified by third party inspectors.

And literally the month before the breach was reported Target’s third party inspector confirmed that they were fully in compliance.

Then What?

So what happens after a fully compliant retail establishment is so thoroughly hacked that its own servers email lists of credit card numbers to criminals?

Well, the hackers put the credit card numbers up for sale.

This is a screenshot of the site where Target’s numbers were sold. It looks like an online playground for eight year old girls but in fact it is a highly sophisticated black market with so many mirrors and redirects under it that finding the original server where the page comes from is practically impossible. Even still, authorities shut down sites like this almost as quickly as they resurface elsewhere.

check guarantee data threat 

The text in the logo says “Lampeduza Republic,” which is a criminal organization based in the Baltic States that has an internal hierarchy similar to that of the Roman Empire and identical to that of ROME II (All Out War), a video game this particular group of criminals apparently loves.

Buyers of the credit card numbers manufacture fake cards with them, and purchases made with these cards gave the first clue that someone’s data had been breached. Many of the numbers are used for online purchases as well, since “card not present” sales are easier to fake. And of course some of the “businesses” processing these purchases actually launder the money, turning the credit card data into cash or, more preferably from the criminal’s point of view, into Bitcoins.

Needless to say, a “product” like this has a very short shelf-life. This makes it critical for the criminals to collect as much data as possible and to sell it before their activity has been detected. Their buyer then has a window of time to use the data to steal money before the credit card companies void all the stolen numbers.

Simple Solution After All?

Since it all seems to have come down to human error at Target when they ignored warnings that malware was sending data, it might seem like we’ve arrived at a simple solution after all.

But we haven’t.

Next, we’ll consider the way Home Depot responded to the Target breach.

Before we do, let us remind you that while credit card fraud is massive and vastly expensive, without the proper risk mitigation, check fraud can be nearly as bothersome. Thankfully, simple precautions virtually eliminate this risk. Please contact us and we’ll tell you how check guarantee works.

Check Guarantee Insider's Guide

Topics: Retail

Written by Tom Lombardo