10
Oct 14

Malware Based Credit Card Breach at Kmart

Sears Holding Co. late Friday said it recently discovered that point-of-sale registers at its Kmart stores were compromised by malicious software that stole customer credit and debit card information. The company says it has removed the malware from store registers and contained the breach, but that the investigation is ongoing.

“Yesterday our IT teams detected that our Kmart payment data systems had been breached,” said Chris Brathwaite, spokesman for Sears. “They immediately launched a full investigation working with a leading IT security firm. Our investigation so far indicates that the breach started in early September.”

According to those investigators, Brathwaite said, “our systems were infected with a form of malware that was currently undetectable by anti-malware systems. Our IT teams quickly removed that malware, however we do believe that debit and credit card numbers have been compromised.”

Brathwaite stressed that the data stolen included only “track 2” data from customer credit and debit cards, and did not include customer names, email address, physical address, Social Security numbers, PINs or any other sensitive information.

However, he acknowledged that the information stolen would allow thieves to create counterfeit copies of the stolen cards. So far, he said, Sears has no indication that the cards are yet being fraudulently used.

Sears said it has no indication that any Sears, Roebuck customers were impacted, and that the malware infected the payment data systems at Kmart stores only.

More on this developing story as updates become available. For now, see this notice on Kmart’s home page.

89 comments

  1. Whitelist the POS terminal. Only run approved software. There are multiple vendors that make it easy to whitelist on a POS.

    • Install an OS process lockdown app that creates a Container and negates malware activity, create a secure desktop where the authorised POS apps are whitelisted, and malware will not be able to operate within the secure container (desktop).

      POS apps, data, processes, sessions, transactions etc cannot be accessed or compromised by any malware. Malware does not need to be identified to be stopped, the OS process lockdown takes care of the negation.

  2. I am more interested in how the malware got on the system? This is just like the Jimmy Johns issue (malware on their POS system). Malware was placed on the system because of a breached logmein account/password. This remote login option did not have 2-factor auth either, which is a big no-no.

  3. Kmart states: “Based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by those criminally responsible.”

    Kmart omits any statement about whether CREDIT card PIN numbers were obtained. Positive spin is one thing. Lack of full disclosure is reprehensible.

    • Terry – Maybe you want to take a breath before pasting that “reprehensible” label. K-Mart (subsidiary of Sears Holding Company) made the discovery 10/9, filed an SEC disclosure the same day, and got much information out by 10/10. It was the fastest disclosure since I’ve been studying these events back to 2005. Incomplete? Sure. The investigation is less than a week old.

      Still want to use that label? Use it on the organizations that told us nothing until after some intrepid security researcher noted the stolen information ready for sale. Most recently, and in a major manner, that was Home Depot. There have been others.

      K-Mart see nc3 dot mobi/references/2014-unknown/#20141010
      HD see nc3 dot mobi/references/20140902-home_depot/

      Lastly – What credit card uses PIN numbers?

      Jonathan @nc3mobi

      • I agree that this seems like a remarkably quick disclosure. That the infection is believed to have started in September also points to a fairly quick catch, at least compared to so many other infections. Admittedly it would be ideal to catch it instantly, or not allow it to infect systems at all, but you have to deal with the devils you know and not some ideal world that nobody inhabits.

        I swear every time I hear about one of these breaches I feel a sense of relief that it’s not at a place I’ve shopped. I wonder how long my luck will hold…

      • @Jonathan – pretty much everywhere outside of the US uses chip and PIN (EMV).

      • Rapid disclosure, comparatively rapid discovery, and the fact that they discovered this themselves tells me that at least Sears has a good monitoring and response team in place. Of all the recent breaches it looks like Sears has done the best job.

  4. This breach was caused by a fundamental flaw in the POS architecture. It is to assume that the POS system is secure. This allows clear text sensitive data to be present and available to malware. The relatively simple solution is to encrypt the card tracks in the terminal that captures the card data and tokenize the PAN for later use, as needed. If the data is encrypted (See PCI SRED requirements) it is useless to the Bad guys. As retailers deploy EMV-ready customer facing terminals, they should implement SRED for (at least) a partial P2PE solution.

  5. Malathi Senthil

    Why did the POS terminal store track2 data in first place? Any business/technical requirement?

    • There is a previous comment about memory scraping malware. The cashregister isn’t storing the data, just seeing it and processing it.

  6. @Brian: have your read about https://en.wikipedia.org/wiki/Chip_Authentication_Program ?

    Note: I’m not endorsing it, but I only heard about it today, and it’d be interesting to hear what people think about it.

    http://www.emv-usa.com/faq/card-not-present.html
    {quote}
    We hear that there is no technology that eliminates the card-not-present fraud, so why should we spend money to convert to EMV, because much of our business is card-not-present?

    Posted On: March 21st 2011

    There is a feature available for chip cards that allow customers to prove that the card is present and that they know their PIN. This is done using a handheld ‘Chip Authentication Program’ or CAP reader. At this time, the North American market is nowhere near being able to release this however, this technology can help to prove that the card is present and the customer is authenticated.
    {/quote}

    • TimeLess – re EMV/CAP/DPA

      There were problems with the consumer reader back as far as 2007. One bank’s device didn’t necessarily work with another bank’s card unless they adhered to the APACS sub-standard. APACS replaced in 2009 by UKPA. For more see www dot nc3.mobi/references/emv/ and look low on the page.

      b) Let us remember EMV would not have helped Target victims
      www dot krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/

      c) IMHO – what a PITA to have to carry another device!

      d) Sorry for the delay in replying. All I’ll say is my dentist is now more than a bit richer and I’m grateful for the development of modern pain medications.

      Jonathan @nc3mobi

  7. This has to be an inside job “if” they are PCI compliant. Two factor is required for access to the POS environment. I’be been through a PCI audit and each of these stories makes be furious because of the 9 months and the 250k of my budget we spent to become compliant. No system is perfectly safe, but constant auditing would at least alert you that something had happened and how.

    • Byran wrote> This has to be an inside job “if” they are PCI compliant.

      PCI compliance has value, but it isn’t guaranteed even if it is expensive.
      Were all these PCI compliant compromises inside jobs?

      March 2008 Hannaford Brothers grocery chain
      December 2008 WorldPay
      January 2009 Heartland Payment Systems
      August 2013 NoMoreRack.com, a tier-2 processor
      December 2013 Target certified compliant two months earlier.
      January 2014 Neiman Marcus
      February 2014 Discover, PCI compliant and compromised

      Don’t take my word for it

      see www dot businessweek.com/articles/2014-03-20/credit-card-data-security-standards-dont-guarantee-security and
      www dot forbes.com/sites/sungardas/2014/05/01/can-your-company-be-pci-compliant-and-still-get-hacked

      Jonathan @nc3mobi
      (ps: two tweets sent last night. OLE/INF bug that truly could be “Death By PowerPoint”. SSL3.0 design vulnerability exploited when TLS falls back. Because is design (not implementation) problem any browser that was standard compliant is exposed. That is almost ALL of them could expose your httpS communications. Start reading at www dot nc3.mobi/references/2014-unknown/#20141014 )

      • Seems to me PCI standards and/or POS network vendors have ‘broken’ standards/networks that aren’t supposed to be ‘insecure’–it’s not keeping malware off of the POS network. I moreso agree with the direction Bryan is headed–the POS network shouldn’t be allowing unauthorized installation of programming code (malware or non-malware).

        Target, Home Depot, Kmart– seems to me the existing PCI standards/POS network, etc– something is moreso ‘broken’. Like another reader mentioned: Trustwave is close in that ‘broken’ relationship too.

  8. Industry contacts indicate ramp up in Mag exploitation will continue to grow at EMV looms. The fraudster tech also evolves…POS malware being a case in point…the ‘volume’ problem may also be addressed with tools based on multi-card plastics – sure beats carrying hundreds of blank/fake plastics around…also I imagine they would rig with safety functions to show law enforcement a few legit accounts (while erasing the ‘loot’)… http://www.crowdfundinsider.com/2014/10/52471-plastc-card-banks-ongoing-need-physical-card/

  9. The Human Defense

    All,
    I see a lot of talk about standards and compliance with and a lot of technical talk.
    Keep in mind, the DBIR from Verizon (forensic, not survey data) shows that more then 80% of the breaches (stolen data) and intrusions (entering the network not lifting data) are due to weak and stolen credentials. If you have 20,000 employees, why would you not engage them in the art of creating strong credentials and educate them on what the cause and effect of having risky habits are.
    This breach and the other card breaches are all going to come down to the point of entry, and that point will be our employees and their habits………just go back over the last year and look at how many companies released their point of entry, and you will see that we need to focus on our employees ability to assist security teams in defending their own and the companies assets.

    • TheHumanDefense –

      I agree with most of what you wrote. As I understand “all going to come down to the point of entry” you mean the point where the consumer’s confidential credentials enter the merchant system. I suggest that we can go even before then, to where credentials are retained by the consumer. If the credentials are secure within the consumer, and not shared with the merchant, then no matter how insecure the merchant, what may ever be stolen, the consumer credentials are not among them,

      Any single person may be trustworthy, loyal, helpful, friendly, courteous, kind, obedient, cheerful, thrifty, brave, clean, and reverent (thanks BSA) but collectively we are less so. As a group we exhibit other attributes including laziness, one of the Seven Deadly sins, called “sloth” in the older days.

      Skimping on procedures, choosing simple (or common) passwords, all are short term time savings with an increased risk of future problems. Laziness and procrastination pay off now. The key: “risk” is not “certainty”. If speeders had a 100% chance of getting caught, few people would.

      This is why any efficient solution has to provide the security work, not the humans. Think about a supermarket checkout queue where everyone has to enter a PIN. That adds time. Multiply that time by the millions of people each day checking out and that is a national time suck.

      Efficiency isn’t enough, a solution has to be effective. It has to work in at least existing transaction avenues (card present, computer access, mobile) and provide for future avenues including doing a transaction when not connected to the internet at all.

      Did anyone else notice October was National Cyber Awareness Month? “… cybersecurity is one of our country’s most important national security priorities, and we each have a role to play—cybersecurity is a shared responsibility.” (more at www dot dhs.gov/national-cyber-security-awareness-month)

      Or notice that on 10/17/2014 we got a new Executive Order that appears to require chip-an-PIN?

      IMPROVING THE SECURITY OF CONSUMER FINANCIAL TRANSACTIONS

      Given that identity crimes, including credit, debit, and other payment card fraud, continue to be a risk to U.S. economic activity, and given the economic consequences of data breaches, the United States must take further action to enhance the security of data in the financial marketplace. While the U.S. Government’s credit, debit, and other payment card programs already include protections against fraud, the Government must further strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality while maintaining an efficient and innovative financial system.

      By the authority vested in me as President by the Constitution and the laws of the United States of America, and in order to improve the security of consumer financial transactions in both the private and public sectors, it is hereby ordered as follows:

      Section 1. Secure Government Payments. In order to strengthen data security and thereby better protect citizens doing business with the Government, executive departments and agencies (agencies) shall, as soon as possible, transition payment processing terminals and credit, debit, and other payment cards to employ enhanced security features, including chip-and-PIN technology.

      [ highlighting mine. Whole text at www dot whitehouse.gov/the-press-office/2014/10/17/executive-order-improving-security-consumer-financial-transactions ]

      I guess the White House does not read KOS!

      Jonathan @nc3mobi

    • TheHumanDefense –

      (I wrote a better reply www dot krebsonsecurity.com/2014/10/malware-based-credit-card-breach-at-kmart/comment-page-2/#comment-303465 but appears to have been trashed by auto-spam. Here is an abbreviated reply. Sorry)

      I agree with most of what you wrote. As I understand “all going to come down to the point of entry” you mean the point where the consumer’s confidential credentials enter the merchant system. I suggest that we can go even before then, to where credentials are retained by the consumer. If the credentials are secure within the consumer, and not shared with the merchant, then no matter how insecure the merchant, what may ever be stolen, the consumer credentials are not among them,

      Any single person may be trustworthy, loyal, helpful, friendly, courteous, kind, obedient, cheerful, thrifty, brave, clean, and reverent (thanks BSA) but collectively we are less so. As a group we exhibit other attributes including laziness, one of the Seven Deadly sins, called “sloth” in the older days.

      Skimping on procedures, choosing simple (or common) passwords, all are short term time savings with an increased risk of future problems. Laziness and procrastination pay off now. The key: “risk” is not “certainty”. If speeders had a 100% chance of getting caught, few people would.

      This is why any efficient solution has to provide the security work, not the humans. Think about a supermarket checkout queue where everyone has to enter a PIN. That adds time. Multiply that time by the millions of people each day checking out and that is a national time suck.

      Efficiency isn’t enough, a solution has to be effective. It has to work in at least existing transaction avenues (card present, computer access, mobile) and provide for future avenues including doing a transaction when not connected to the internet at all.

      Did anyone else notice October was National Cyber Awareness Month? “… cybersecurity is one of our country’s most important national security priorities, and we each have a role to play—cybersecurity is a shared responsibility.” (more at www dot dhs.gov/national-cyber-security-awareness-month)

      Or notice that on 10/17/2014 we got a new Executive Order that appears to require chip-an-PIN? Whole text at www dot whitehouse.gov/the-press-office/2014/10/17/executive-order-improving-security-consumer-financial-transactions

      I guess the White House does not read KOS!

      Jonathan @nc3mobi

      • The Human Defense

        Jonathan,
        Yes sir, it would appear the WH isn’t reading one of the most accurate blog I can think of.
        I enjoyed reading what you wrote and agree with most of it also. However, one thing I am finding after speaking with approximately 17,000 employees in the last 3 years I have had the following observation.
        Out of the 17K employees I have spoken to and discussed this subject with feel the following (80% of the 17K): They believe that the companies cyber security team will protect the network and that they really don’t now what they can do to really keep bad guys out. Additionally, they find that security organizations speak another language they do not or will not understand, so they close off their mind as soon as someone starts talking security.
        Finally, no one has ever told them about the risky habits and the ultimate consequence of these risky habits.
        I feel, addressing just these three areas and stop talking about stuff most employees can’t or will not understand makes the conversation irrelevant. This is resulting in employees lack of adherence and knowledge of policies and their relationship to the risky habits, based on how it relates to the employee.

        • Human Defense-
          If I read what your wrote properly, the CyberSecurity folks don’t communicate to EveryoneElse what is happening in a language EE can understand and EveryoneElse believes CyberSecurity will protect us. Sounds like a charlie-fox exercise in fiefdoms and a major case of not understanding goal alignment.

          The goal is to be able to carry out the mission of the company, whatever it is. CyberSecurity is necessary to protect EveryoneElse, but EveryoneElse does the work to carry out the mission. Both are required.

          During my consultant decades a lot of time was spent translating between techno-types and accounting-types (see my LI profile for why I spoke both). I made clear to both sides that both jobs needed to get done. Technies provided the tools for accountants to do their work. Accountants (most of my work was at accounting & legal firms) did the work that paid the technies. Then we had a period of learning how to communicate in tech-ese and account-ese (no one ever learned to speak tax-ese or patent-ese). Effective (not necessarily efficient) communications generally lasted until management stopped expending resources on interdepartment communications education.

          Effective and efficient communications and a shared sense of mission are vital in the success of an enterprise. I’m sure Sun Tzu wrote something about that, but I’m too tired to find it.

          For something completely different read about
             the Gambling Machine Bug where someone could regularly beat video poker
             www dot nc3.mobi/references/2014-unknown/#20141007

             and being very afraid of public WiFi
             www dot nc3.mobi/references/2014-unknown/#20141012

          The morrow approaches! Be well.

          Jonathan @nc3mobi

  10. Do I need to cancel my card that I used at Kmart before this malware hit.

  11. It makes me concerned to shop at any of the mass merchants now as they seem to keep having these type of credit card breaches.

  12. I had no idea about this until I realized I just lost $700+ dollars on my reloadable Kmart debit card and sensed it had to come from Kmart since thats the only place I have used it that was out of the norm. I then searched the internet for fraudulent activities associated with Kmart and realized They took every penny from my account on various items and travel agency. I called up the debit card and they never mentioned anything about this. Kmart has all our email addresses and didn’t even send an alert to change pins or to monitor card for suspicious activities. This is shocking and inappropriate for dedicated customers to lose their private details. It’s also false about only the data2 information was compromised, it’s on a the same breach level as target. They had my name address and all the details that I had on the card, which makes me think it was an inside job. This is unacceptable especially so close to the Holiday Season. They had better fixed this problem or suffer the consequences this Holiday Season. Total Chaos