In a recent interview, Andrew Komarov, CEO of U.S. security startup IntelCrawler, described the malware used in the Target data breach to be a dump-memory-scraper that infected Target’s Windows-based Point-Of-Sale (POS) registers. The malware Komarov identified, named Reedum, was a variant of the BlackPOS malware that he discovered in March of 2013, and is difficult to detect using malware scanners. But Target could have defended against it nevertheless.
If all of the POS systems deployed in Target’s stores used the credit card readers like those in its store in Braintree, Massachusetts, the credit card data could have been encrypted using the Triple DES (3DES) algorithm. In the side-by-side comparison below, the credit card terminal used in Braintree looks like the Hypercom Optimum L4150 (pdf).
The Optimum L4150 was connected to the point of sale register with a USB, Ethernet or RS232 cable and supports encryption of credit card data.
Jason Schnellbacher of the Prineta software development team, which is familiar with the L4150 card reader terminal and related encryption practices, reviewed this point of sale equipment:
"The bank card pins were definitely encrypted with the 3DES algorithm, but there is a question if the credit card data was encrypted. The L4150 terminal has the capability to encrypt the credit card data using any of a number of standard encryption algorithms, but if the POS system vendor chose one, it would be 3DES. However, the connection between the card reader terminal and the POS device is considered secure and often times the credit card data is sent as clear text to the POS device where it is only then encrypted and sent upstream for processing. We don't know how Target and its POS vendor NCR implemented this encryption, but based on industry practices there is a better than even chance that the credit card data was not encrypted. If POS system vendor NCR enabled 3DES, all the thieves stole were encrypted data."
Chris Wysopal, founder and CTO of Veracode, responded to the question "how difficult would it be to extract the key and decrypt the data from 100 million credit cards if they were encrypted with 3DES?"
"It shouldn’t be possible to brute force 3DES in a reasonable amount of time without a very big supercomputer."
Encrypted credit card data can’t be monetized, so the thieves may have only made themselves targets of an FBI manhunt. Instead of a treasure trove of credit cards, if 3DES encryption was implemented, all they got was a bucket of bits.
POS system manufacturer NCR did not respond to a request for comment on the details of encryption of the credit card data between the carder reader terminal and the POS device.
Interview with Andrew Komarov
Andrew Komarov is the CEO of security US security startup IntelCrawler. In March of 2013 he identified a variant of the malware used in the Target attack.
Q: Please describe the malware used in the Target data breach.
Komarov : The malware used to steal over a hundred million credit and debit cards from Target was a dump-memory-scrapper called Reedum. It is a variant of BlackPOS that I identified in March of 2013 when employed by another forensics company. The code is not very complex and there are other variants, such as Kartoxa. BlackPOS was reported at that time to Symantec and FireEye, at their request, and Dell Secureworks.
Q: Could Target have detected the Reedum malware and defended against it?
Komarov: It is difficult to detect malware like this because the bad actors that use it employ coding techniques that obfuscate them. Nevertheless, good Microsoft Windows system administration and security practices would protect against dump-memory-scrapper malware. Limiting remote access, controlling user account privileges that limit the software that can be run on the Windows based POS device, what resources a program can use, limiting the other devices to which a program can communicate and a good perimeter defense against intrusions, are some of the precautions that should be implemented. All of this is described quite well in the Payment Card Industry Data Security Standard (PCI DSS.)
Q: How did the perpetrators of the Target data breach steal the credit card data?
Komarov: The dump-memory-scrappers are all pretty simple - scanning the RAM and extracting strings of dumps after they are processed through the POS device to a remote PC using FTP and more recently HTTP.
Q: What did the perpetrators of the Target data breach get?
Komarov: But the card readers connected to the POS device encrypt the credit/debit cards and pins before sending it to the POS device, so the perpetrator of the Target data breach got away with encrypted data and still needs to decipher the data to make it useful.
In conclusion, if in fact the credit card data was nearly irreversibly encrypted using 3DES, Target still had to disclose the data breach to be in compliance with consumer data privacy laws. Whether the encryption between the card reader and the POS register was a weak link or a potent defense isn’t known. Target doesn’t have to disclose this or other technical details, and it may never. It is certain, though, that retailers are looking carefully at the link between card readers and POS devices and tightening up perimeters and policies. And PCI security auditors are now on the lookout for a new threat.