Big-box retailers and electronic funds transfer service companies in the U.S. recoiled in terror when the massive Target hack was announced in December of 2013. A team of crooks, allegedly from Eastern Europe, infiltrated over 40,000 POS terminals in every Target store in America and skimmed off the personal data of more than 100 million consumers who were flooding the stores during the holiday shopping frenzy.
Now it is being noised about that the malware used in the attack, known as BlackPOS, was developed by a seventeen-year-old Russian programmer, who put it on the Internet for general consumption. From there it was downloaded at least sixty times and eventually ended up in the hands of a shadowy gang of thieves who put it to bad use; walking away with a treasure trove of data. Target will be forced to pay millions in fines, consumers are launching class action suits, and U.S. lawmakers are making threatening noises from D.C.
Underneath all the reactive commotion, a little known fact keeps trying to surface. This is not the first time Target has been hacked. In 2005, a man named Albert Gonzales rampaged through Target, TJ Maxx, and about a dozen other companies, making off with data from 120 million credit and debit card accounts. Gonzales is now in jail for twenty years, but the big box stores made little or no effort to correct the vulnerability and threfore little has changed in the realm of bankcard data protection.
How can this be? That’s easy to answer. There’s an inherent flaw in both the standards and the auditing process that are supposed to keep card data secure. When the PCI-DSS standards were first put in place, it birthed a whole new industry called PCI Compliance Auditing. Audit companies scan processing companies to check their security, but the audit is only germane at the time it is performed. PCI audits are a real pain. Having an outside source scanning your system can greatly affect the processing performance. And a company can change their system and introduce new and unsuspected vulnerabilities the next day, leaving them as vulnerable as if they had never been audited.
The main problem is the standard itself. PCI standards don’t require companies to encrypt card data while in transit on an internal network or on it’s way to a processor as long as the transmission is over a private network. Target was probably using a secure channel but the data was not encrypted. So the thieves put a little piece of software called a RAM scraper in the memory of Target’s terminals, which were not secure. Voila! one hundred million consumers had their personal data vacuumed up and sent right to the Internet in Europe where it was being sold within days of the hack.
There’s a simple solution. Encrypt data at the POS keypad in the same way that PINS are required to be encrypted. This would render RAM scrapers and BlackPOS useless. But this would require card processors to write new protocols, since most of them are not set up to decrypt card data. The large retailers and processors have resisted tougher standards because they would be costly to implement and result in slower transaction times. So what’s to be done? If the big retailers have their way – nothing!
Inherent flaws in the Credit Card Payment Processing System may encourage future hacks… – ©2014 Moneymovers, Inc.