FBI warns of more cyber attacks like Target's

With the announcement of the theft of personal information from nearly 110 million Target customers last month, many retailers and consumers are on high alert - and for good reason. As if that weren't enough, major retailers such as Neiman Marcus also had customer information stolen via security breach. Now, the FBI has released a statement warning retailers of the potential for future attacks, as well as the increased trend in malware affecting POS (Point of Sale) machines such as cash registers and credit card swiping devices.

The confidential report stated that the FBI believes that "POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it". They also made note of the availability of malware on "underground forums" as well as the large potential for profits to be made from POS attacks, as warnings to the retailers in an attempt to get them to tighten up security. 

According to Reuters, which initially obtained the report, all of the attacks thus far have seen cyber criminals utilizing memory parsing software, or "RAM scrapers", which extracts customers' transaction data from the computer's live memory after a customer swipes their card - in the brief moments where the data is unencrypted and stored as plain text. The vice president of the National Retail Federation, the world's largest retail trade association, stated that "Retailers have been and remain vigilant in their efforts to provide the highest level of security for their data systems in order to protect against malicious and criminal acts". Only time will tell, however, exactly how proactive these retailers will be in protecting their customers' personal information.

Source: Reuters via LatinPost | Image via Shutterstock - credit card machine

Report a problem with article
Previous Story

Microsoft creates a 20 gigapixel photo panorama of Seattle

Next Story

Samsung and Google team up for new worldwide patent license agreement

22 Comments

Commenting is disabled on this article.

So the FBI is admitting their plans eh? Hmm, how to protect ones self from such an agency? Don't make an account... nothing good comes from store club services...

If everything goes through the computer memory, what difference does it make?
In theory credit cards already has PIN.. that's CVV?
As for chip, I honestly don't see the difference other than transmitting the same information through alternative means

Their weak excuse was "its too expensive." Well, how expensive is it now in repairing the damage being done? Pity, that Target's attempt years ago didn't catch on.

To: ThunderRiver: Because it's doesnt! When you using Chip'n'pin reader - device itself check the PIN from it's keyboard, and compare it with PIN in card chip. NOTHING going to computer memory. In more advanced readers - they connect to prcessing center by encrypted channel, and return to POS computer programm only result - accepted or rejected with error codes. But if, as americans, you use old types of POS terminals, with magnetic stripe - completelly different picture. First, you not need even the PIN! In most cases - stripe the card, receive the recipe, that's all. Thats where scimmers paradise! You give your VISA to waiter, he goes to POS and return you card with check. But in the way - he scan your card with scimmer device, and after 10 minutes thieves can already print working copy of your card. But this very old technology, I think only in America it still exist.
In old POS machines, all job was done by soft inside the computer. First cardreaders copied magnetic stripes info even without the encription, just emulating keystrokes! Thats why such anchient card banned in EU. Target says about "complicated attack" bla-bla-bla. Virus, even complicated, cant decript VPN "on fly". I think this is simply bull**** to cover that POS devices was very ancient, and have no encription at all.

My only thoughts to a card using a chip instead of a magnetic card reader is, could't someone make a app for smartphones, where if they bump the phone near your wallet to get in close enough proximity, they could read that chip and steel information that way?

Also, some malware effects the pin pad devices them selves as well, so information could be stollen there.

Bottom line, no matter what kind of security they develop, the hackers will have an answer for and will be able to steal peoples information faster then security can be updated.

Vlad Kollerov said,
To: ThunderRiver: Because it's doesnt! When you using Chip'n'pin reader - device itself check the PIN from it's keyboard, and compare it with PIN in card chip. NOTHING going to computer memory.

Nothing goes to computer memory?!? How is that possible? Even if it is a really simple POS gateway.. it has to temporarily store the PIN value you entered.. I can't imagine doing some operation with no memory to hold data.

Why do you need to hold this data at all? PIN - stored inside your chip, encrypted. POS application need from cardreader only one thing - payment autorised or not. When you enter your pin - information going only between cardreader and card chip. Encrypted. Noting going outside. It's all inside device. When verification complete - cardreader connect to processing centre by VPN, and then, when received approve from p.c. - only then answer to waiting POS application, that operation is approved. Why POS application and computer need to know your pin and card number at all?

ThunderRiver said,
So does anyone know how the POS machine got infected in the first place? Or are these POS machines truly just POS?

They were XP machines running XP embedded (all 40,000 of them) .. I'm quoting from Security now

So as late as January 16th no antimalware software is recognizing this. So it's been known for, like, it was first seen back in September of last year, of 2013. And it is believed that Target discovered it around mid-December because it was briefly uploaded to the Google-owned VirusTotal site and appeared there and then was taken down not long after. So there's a research lab, Seculert, that found the sample and actually executed it under a virtual environment of Windows XP. And they discovered that it has two stages. It first infected their checkout counters, their point-of-sale devices, to extract credit card numbers, and it collected them for six days. Then it uploaded those to another machine in Target's network. And I did notice some reports saying that part of the way they got in was poor passwords. Apparently the internal passwords were easily guessable, and so the software used those in order to move the collected customer data onto the central server after six days.

And then it was exfiltrated to another website somewhere else in the world, and that location was never given. And that appeared to be a hijacked website that was running an open FTP server. So that FTP server collected this data. And then a third virtual private server located in Russia was used to download that stolen data from that hijacked intermediate server over the course of two weeks, pulling a total of 11GB of stolen sensitive customer information over the course of that time. And these guys say that there was no indication, given the FTP logs, the only connections they saw were to Target servers, or from Target servers to this FTP server. And they didn't see any indication that the also-suspected Neiman Marcus compromise was also going on at the same time. However, in very up-to-the-minute rumors which are beginning to surface, there are apparently six other retailers that have been identified, but not disclosed, that also appear to be victims of this software. So that's happening.

Thanks for the information warwagon!
So in theory Xp is not really at fault, but that the virus detection was delayed by delayed discovery. Had these POS machines been running Windows 7, would they have stayed clear of virus? I wonder

n_K said,
I'm waiting for the day the FBI warns of more illegal data gathering by the NSA...

You've got it backwards. "Announcements" like this are only made so the NSA's activities can be "justified" and have to carry on (and increase).

If you are that worry, then use the prepaid card or cashier check for store purchases... for online purchases, use prepaid card which allows you to reload when needed. You wouldn't worry about it... Unless your bank has a fraud protection on your account.

timster said,
a warning was needed? was anyone expecting cyber attacks to stop?

A warning was needed five years ago. This is more a 'you're going to be screwed very shortly' notification.

TheExperiment said,

A warning was needed five years ago. This is more a 'you're going to be screwed very shortly' notification.

I would say all "warnings" were out the door in the 70's after the first attacks over ARPANET and modems, which Phreaking predates by several years.

All "warnings" since then are just a reminder that if a person needs one... and they have ever touched relatively modern technology at all... they just might be an idiot.