PoSJust before Christmas last year the mother of all hacks took place in the US. Target, a retailer which sells everything from kid’s swings and outdoor flooring to curling irons and razor sharp HD smart TVs had its point of sales (PoS) systems hacked.

Information from up to 40 million customer’s credit and debit cards was lifted by hackers. Within days, this information started appearing on underground web sites which specialize in this type of information. Some of the credit card details were going for about $20 each.  So worried were the banks that some of them even dived into the deep web and bought up the credit/debit card information to protect their reputation and their customer’s bank accounts.

Bad headlines, plunging profits

The Target hack made the news and continues to hit the headlines, simply because of the enormous scale of the hack. The latest chapter is an almighty 46% plunge in company’s profit for the last three months of 2013. As the US’s second largest retail discount chain, it’s clearly taken a battering, with many customers understandably treating the company as a bit of a retail leper.

But the fact is that most PoS hacks are often way down the news agenda and are often not reported because they happen on a much smaller scale. Harried reporters, driven by new editors and the need to continually produce the goods in terms of big stories, understandably focus on cyber espionage or big denial-of-service attacks. The average PoS attack on the other hand, tends to target independent retailers, a restaurant or a local service, and as such doesn’t generate much press coverage.

Would you like some hacking with your meal, sir/madam?

Hackers understand the value of these small scale attacks. Sale prices for credit and debit cards on the deep web can vary between $20 to $50, sometimes a little bit more or a little less.  If a hacker can penetrate a restaurant’s PoS and lift the credit card details acquired in just one weekend evening, say 100 that can lead to $2,000 profit.

There are security standards that retailers should adopt to protect credit/debit card information and many do, most notably PCI. However, there are plenty of critics who point to the widely accepted PCI standard for retail card payments as being weak and ineffective. And even it could be more than it is, other industry insiders says many smaller retailers don’t comply with it.

Despite adherence to PCI standards the vulnerabilities often lie in the inner systems and software running on these systems.  And this is one of the charges levelled at Target – there was a vulnerability in which data gathered by the PoS device was momentarily exposed before it was encrypted and sent over an internal network.

It’s still not definitively clear how it was carried out but what is fairly certain is that the hackers used malware that instructed PoS cash registers, connected to an internal network, to send customer data back to a malware infected Target server once every hour.

From Russia… with code

These customer data files were then apparently sent to a web server and wiped from the Target server so there was no memory of it within the Target server. To avoid triggering any alerts the cyber criminals coded the malware to then send the customer data files to a server in Russia but only after a period of six days.  The hack was so clever the company didn’t know anything about it until the US Secret Services notified the company about its suspicions.

The investigators had been tracking the cyber criminals believed to behind the attack overseas and also monitoring suspicious credit activity spotted. They had detected a pattern: suspicious credit/debit card transactions that also featured charges and payments made at Target.

From Minneapolis to Nairobi

For example, a long time married Minneapolis man who checked his monthly American Express bill saw the usual Target purchases which were then followed by an unusual membership subscription to Match.com and the purchase of a $1,291.58 plane ticket from Lagos, Nigeria, to Johannesburg and Nairobi, Kenya.

This pattern, of a Target purchase, followed by other purchases that didn’t follow previous purchasing patterns created its own pattern. The Target hack and other PoS hacks reveals a fundamental flaw in human psychology and one that is no doubt designed to act as defense mechanism – like death, its something that always happens to someone else – and never us, until it does.

Compliance with security standards often creates a false sense of security and if anything the Target hack revealed that cards which use magnetic strips to store and transfer data are outdated. 

A data siphon

Magnetic strip cards are common in the US. Some industry insiders say this was the cause of the Target debacle because it’s easier to siphon data from these cards which are more akin to the cassette tapes of yesteryear than the modern security practices required today.

The European Chip and Pin has been widely touted as the answer to vulnerable magnetic strip cards.  Chip and PIN cards contain a computer chip with information that’s read by an ATM or retail PoS machine. The user enters his or her PIN which matches the PIN on the chip to authenticate the transaction.

When a customer pays for goods, the ATM or PoS terminal accesses the chip on the card. Once the card is verified as authentic, the 4-digit PIN is entered and submitted to the chip on the card.  If the two numbers match the chip tells the terminal the PIN is correct.

The chip and PIN software installed in ATM’s and PoS machines is supposed to create an unpredictable number to authenticate each transaction.  However, this has proven to be vulnerable to attack.  If this number can be predicted hackers can clone the chip without actually cloning it.

Cambridge boffins

The flaw was revealed by researchers at Cambridge University’s Computer Laboratory. It’s a rare form of attack and Chip and PIN are infinitely more secure than magnetic strip cards, but the researchers got onto the flaw following contact from a UK citizen who had his Chip and PIN card compromised when travelling around Europe.

In the recent past PoS hacks have ranged from the clever to more mainstream.  In one case hackers revealed how they had identified flaws in PoS Linux operating systems. They installed malware via a credit card that was fed into a PoS machine. The malware then contacted a server controlled by the hackers and malware downloaded onto the PoS terminal.

Hanging in hotels

Another PoS hack in Montreal, Canada, involved a group of thieves who actually physically removed the PoS terminals and then took them to technical people nearby waiting in cars, vans and hotel rooms. Sniffers were then installed on the terminals.  When the terminals began collecting card details, the data was downloaded and used on blank cards. Almost $8 million was stolen using the cards before the gang was caught.

It’s almost a case of where there’s something valuable to be stolen someone will find a way of doing it.  And the thing about hacking is that the perps can be thousands of miles away. The hackers behind the Target attack are understood to have operated out of Eastern Europe and Russia.

A good answer

If you’ve got a Chip and PIN card you can be reasonably assured of relative safety. But that said no method is ever completely foolproof.  You can protect yourself with good identity theft protection.  Should your details be lifted from some PoS somewhere and appear on the deep web or be used to make an online purchase, identity theft protection will ensure you find out about it before any damage is done.

It’s a saving grace, in that as clever as hackers can be, the corollary is that there’s equally clever technology that scans the vast electronic web that is the Internet for your details and alerts you within seconds if they are discovered.

avatarWritten by Steve Bell (82 Posts)

Steve has a background in IT and business journalism and in the past has written extensively for both the UK national and trade press including The Guardian, Independent-on-Sunday, The Times, The Register, MicroScope and Computer Weekly. He's also worked for most of the world's largest IT companies in a copy and content producing capacity. He has a particular focus on IT security and has been involved in writing about the industry at various levels ranging from magazine launches to producing newsletters. He also runs a small copy writing business called Art of Words. When not bashing away at a keyboard he can sometimes be found in a boxing gym making futile efforts to keep fit or marveling at the works of Sufi poets such as Jalaluddin Rumi and Hafiz of Shiraz.


Leave a Reply

Your email address will not be published.


*