Shoppers weren't the only ones rooting through Target stores the week of Thanksgiving. The giant retailer acknowledged this morning that intruders penetrated its systems beginning the day before the holiday, and maintained access for more than two weeks, potentially stealing the credit and debit card details of an estimated 40 million customers.
The breach, which was first reported by security journalist Brian Krebs on Wednesday, continued through December 15 and may have affected all locations nationwide. Customers who shopped through Target's online storefront are not believed to have been affected.
The thieves breached the point-of-sale system (POS) and stole customer magstripe data, including names, credit or debit card numbers, expiration dates and everything else needed to make counterfeit cards. Target did not indicate if PIN numbers were also taken, which would allow the thieves to use the account data to withdraw cash from ATMs.
It's unclear how the breach of the point-of-sale system occurred. It's possible the thieves installed malware on the card readers at stores or breached the transaction network and sniffed data at a point that it was not encrypted.
Last year, thieves breached the point-of-sale system of 63 Barnes and Noble stores in nine states. In that case, the hackers installed malware on the point-of-sale card readers to sniff the card data and record PINs as customers typed them.
In July 2012, security researchers at the Black Hat security conference in Las Vegas showed how they were able to install malware onto POS terminals made by one vendor, by using a vulnerability in the terminals that would allow an attacker to change applications on the device or install new ones in order to capture card data and cardholder signatures.
The researchers found that the terminals, which use an operating system based on Linux, have a vulnerability that didn’t require updates to their firmware to be authenticated. The researchers installed their malware using a rogue credit card inserted into one device, which caused it to contact a server they controlled, from which they downloaded malware to the device.
But this isn’t the only way to tamper with POS terminals.
In May 2012, Canadian police busted 40 people involved in a sophisticated carding ring that tampered with POS terminals in order to steal more than $7 million. Police said the group, based out of Montreal, seized point-of-sale machines from restaurants and retailers in order to install sniffers on them before returning them to the businesses.
Police said the thieves took the POS machines to cars, vans and hotel rooms, where technicians hacked into the processors and rigged them so that card data could be siphoned from them remotely using Bluetooth. The modifications took only about an hour to accomplish, after which the devices were returned to the businesses before they re-opened the next day. The ring is believed to have had inside help from employees who took bribes to look the other way.
These breaches were minor in comparison to the one that targeted Heartland Payment Systems in 2009, which compromised more than 100 million accounts. In that case, thieves broke into a card processors network to steal data as it came in from multiple retailers on its way to being authenticated by banks.
Homepage Image: Photo: Patrick Hoesly/Flickr
