10
Oct 14

Malware Based Credit Card Breach at Kmart

Sears Holding Co. late Friday said it recently discovered that point-of-sale registers at its Kmart stores were compromised by malicious software that stole customer credit and debit card information. The company says it has removed the malware from store registers and contained the breach, but that the investigation is ongoing.

“Yesterday our IT teams detected that our Kmart payment data systems had been breached,” said Chris Brathwaite, spokesman for Sears. “They immediately launched a full investigation working with a leading IT security firm. Our investigation so far indicates that the breach started in early September.”

According to those investigators, Brathwaite said, “our systems were infected with a form of malware that was currently undetectable by anti-malware systems. Our IT teams quickly removed that malware, however we do believe that debit and credit card numbers have been compromised.”

Brathwaite stressed that the data stolen included only “track 2” data from customer credit and debit cards, and did not include customer names, email address, physical address, Social Security numbers, PINs or any other sensitive information.

However, he acknowledged that the information stolen would allow thieves to create counterfeit copies of the stolen cards. So far, he said, Sears has no indication that the cards are yet being fraudulently used.

Sears said it has no indication that any Sears, Roebuck customers were impacted, and that the malware infected the payment data systems at Kmart stores only.

More on this developing story as updates become available. For now, see this notice on Kmart’s home page.

89 comments

  1. Oh good, we should all be covered now: “To further protect our members and customers who shopped with a credit or debit card in our Kmart stores during the month of September through yesterday (Oct. 9, 2014), Kmart will be offering free credit monitoring protection.”

  2. Good grief. It’s way past time to start punishing CC companies by not using their insecure financial instruments until MAJOR updates in their security infrastructure happen (chip+PIN, encryption, whatever). Start using cash everywhere, like that SNL skit said, “If you can’t afford it, don’t buy it.”

    Let’s see malware hack the transaction of handing a $20 bill to someone. :-p

    • Why punish credit card companies for the merchants inability to protect our data? Would you punish a bank if a merchant lost a stack of checks?

      • If the banks wouldn’t require merchants to retain CC data to disprove chargebacks, the CC data would not have to be stored by the merchants.

        • You are mistaken about keeping card numbers for charge backs.

          The brands don’t require this and many banks don’t either.

          This is not where the problem lies.

          Many merchants keep the card numbers because that is what they’ve always done. They frequently believe they need to keep it.

          Also, most of the current crop of breaches are due to malware reading the track data from the cash register memory before the transaction is even authorized by the bank. Data kept after authorization is a small subset of the track and is of much less value to criminals. Whether or not the merchant keeps the card number after authorization is immaterial in these cases.

          • If malware was used the stores etc do not need to keep the cc numbers at all. The malware can record the information and immediately process and send it out. It would be basically you slide your card punch the required button and the data is sent along to some rouge database where the controller of the malware goes over it at their leisure. Keyloggers do much the same thing with keystrokes. They can send them in any thing from daily logs to real time to a database or email address. With a keylogger it would be sent once enter was pressed x number of times. With a recording program for cc data it wold be something along the lines of once transaction is completed.

      • The reason for the upstream blame is that the Credit Card companies mandate an architecture that has been made obsolete for a long time now. Whenever you have static account information that is used for every transaction you have a huge threat. We will continue to see massive breaches and fraud like this until the architecture of the payment system is addressed.

        So when the Credit Card companies mandate a system of static account information which is hugely vulnerable to unauthorized global re-use, and then pushes the liability to the bank, that then pushes the liability to the merchant, and says “secure that information” you are going to see this kind of thing over and over.

        • While the credit card architecture is long overdue for an overhaul the problem is not entirely the card brands fault.

          Various groups in the US has been resistant to EMV. The US is trailing the world in implementing it with the natural consequence that they will bear the burden of mag stripe fraud until we do away with mag stripes entirely.

          EMV/Chip provides dynamic per transaction elements. Even the tap/wave provides dynamic elements IF the card issuer requires it. Data stolen from these transactions it can’t be used for EMV, tap/wave, or swipe. However, the data still may allow for online and card not present fraud at some merchants.

          • Dave: EMV is no silver bullet. I won’t bore the audience with details again. See http://nc3.mobi/references/emv/ for weaknesses 2008 thru May 2014. See also what European banks have done to move liability for fraud to the consumer. Think also of how EMV works (or does not work) in the growing space of E&M commerce vs the shrinking world of B&M commerce.

            K-Mart (subsidiary of Sears Holding Company) made the discovery 10/9, filed an SEC disclosure the same day, and got much information out by 10/10 (maybe to dump it in the Friday file?) It was a very fast disclosure and they deserve an atta-person …. delivered with the Gibbs Head Smack for getting breached in the first place. At least they noticed it before the stolen information surfaced for sale!
            http://nc3.mobi/references/2014-unknown/#20141010

            • Great point!!! Kudus to a merchant finally doing the “right” thing!!!

            • @Jonathan – Nothing is perfect but EMV does reduce card present fraud. You’re right there are a lot of details and many have been discussed in comments on Brian’s blog before. Flaws in the UK EMV implementations. Liability shift. Weaknesses in non-EMV CC acceptance methods.

              • Dave – You’re right: EMV has applications in card present (CP) transactions. CP was initially the only way to use a charge card. Later people sent the information via mail and the wired land line. Then came telecopier/facsimile transmission, the cell phone (see historical note below) and the explosively widespread adoption of the internet.

                Today (and tomorrow) CP is but one avenue. A new commerce solution has to to the job while being truly secure (effective) in the growing venues of E&M commerce and be fast, inexpensive and easy to use (all related to being efficient). EMV fails of those measures as well as the ones you mentioned.

                Memory-parsing software (RAM scrapers, see reference below) enables crooks to capture data as plain text when it travels through the live memory of a computer. Such software seeks information before it is “stored”. Scrapers can be malware in the register, in the card scanner, anyplace within a computing platform, element or peripheral thereof. There has been malware in digital copiers (see below).

                Improved locks are often expensive, cumbersome and don’t work in all commerce venues including not-present transactions like paying a paper invoice while in the bathroom without using transactional internet. Consider a concept shift where the confidential consumer credentials travel via the merchant, but are not readable by the merchant. What travels through the merchant’s memory or storage is valueless to a crook. Effective, efficient, and works within existing transaction and communications infrastructures.

                Jonathan @nc3mobi

                References
                replace the “dot” with a “.”

                Re RAM scrapers
                January 12, 2014 Reuters article
                www dot reuters dot / article/2014/01/12/us-target-databreach-retailers-idUSBREA0B01720140112

                First cell call was April 3, 1973 by Martin Cooper, a Motorola employee, from midtown Manhattan to Bell Labs headquarters in New Jersey.

                Malware in copiers
                www dot darkreading dot com/vulnerabilities-and-threats/social-engineering-attacks-pose-as-corporate-copiers/d/d-id/1100412?

                Symantec 2014 Security report which includes malware in copiers
                www dot symantec dot com/security_response/publications/threatreport.jsp

                • The Human Defense

                  Jonathan
                  Excellent explanation of what is truly occurring with memory scraping in these particular cases. What we are witnessing here is the new normal and the inability of some companies inability to move fast enough to head it off. There is not and will never be a silver bullet, with our without credit cards, with or without an electronic wallet, with or without other payment tools. Fraud is as old as prostitution and as prevention evolves, so will the tactics to bypass those tactics and get to the golden calf.

                  Well done sir!

                  Thanks you,

                  • Credit belongs to me only for gathering, summarizing and reporting information, second-tier at best. Those who figure out what really happened deserve more credit and credits.

                    For what I done did, all ya’ll is welcome. I’m grateful for a comment-iterati who contribute information (questions or answers) instead of just venting. IMHO we’re all rather … vexed … at the situation. As for spammers: Go n-ithe an tochas thú!(Old Gaelic)

                    Jonathan @nc3mobi

    • Sowing seeds so you can spend the $5,000,000 MrMouse “bug bounty” cash I sent you last month without attracting too much attention Brian ? 🙂

    • It is as simple as using 2 devices to complete a charge transaction. Card companies need to understand that the cost of future breaches need to be factored into putting dollars behind upgrades of infrastructure. Perhaps a simple OTP via SMS to the cardholder would be the second layer against fraudulent charges. Even if a POS system were compromised, it would help to prevent any further damage. India has Chip + PIN for all domestic transactions. Recently, introduced OTPs for international online transactions where these can be done. The person who pays for a breach is the merchant, not the card company. As you rightly pointed out, it should be the card company.

    • Question: What can the cardholder do?

      Answer:

      1) Go get a free chip based EMV card from your bank. If they don’t have any, switch banks to Bank of America or Citibank both of which have no annual fee cards with chip & signature.
      Search for http://www.creditcards.com smart-emv-chip for a list.

      2) Patronize retailers that let you use the chip. Right now, Walmart is operational. Other will follow when pushed by the consumer, and as the liability shifts to those retailers who don’t upgrade their point of sale devices.

      EMV is a worldwide standard.

    • Whilst thou is diligently concentrating on the malware flow, mayest thou also blindly exchange your $20 bill for the exceptional $5, $10, $20 fruits of the $300 photocopier, produced last night for thy enjoyment, by Gomba the Currency Guy, who takes literally the admonition to “Go forth and multiply”…

      (Gomba: “Da $50s, $100s, dey attract too much attention. Stoofs think you’re a drug dealer…”)

  3. -“According to those investigators, Brathwaite said, “our systems were infected with a form of malware that was currently undetectable by anti-malware systems._”

    But of course malware is always undetected until it IS detected…

    • But is it Backup? Would KMart call it a new form of malware if we have known about it for almost a year?

    • Could they be referring to the malware be an existing variant (BlackPOS, etc.) but be encrypted to avoid detection by scanners?

  4. This is so bad!

  5. What am I, chopped liver?? I haven’t been hacked yet!! Oh, wait. I don’t have a POS terminal. Never mind….

  6. I give them a little credit for “only” being infected for a month. Since Brian didn’t break the story, it’s probably true that fraudulent credit card transactions haven’t shown up yet. It makes me think they proactively looked at their POS systems, found something and took action, which is better than 99% of the companies out there.

  7. The Human Defense

    As with all of these breaches, it will come down to a non-sophisticated point of entry…..a stolen cred, a spear phishing email with link that provides remote access or some other event that millions of $$$$ of software and infrastructure couldn’t stop.
    Why??? The human element, it is not weak, it’s that they are not included in the defense of the organization.

  8. But is it Backup? Would KMart call it a new form of malware if we have known about it for almost a year?

  9. After reading the notice on the Kmart web site, I give them even more credit. They acted promptly, came clean immediately, and the president of the company apologized to its customers. They have a two page FAQ about what to do and who’s affected, links to the FTC Identity Theft web site, and of course, free credit monitoring. Quite a different response from Dairy Queen’s.

  10. TheOreganoRouter.onion.it.

    Yet another breach , the fun continues

  11. TheOreganoRouter.onion.it

    This problem continues on because corporations have become very lapse of internet security when it it comes to P.O.S. devices

  12. At this point, I fully expect these POS breaches to continue to reported for months and months to come because it sounds like damn near every notable merchant was affected to some degree.

    • Deadite & AlphaCentauri,

      Based on 2012 USA Retail Sales of the top 14 retailers in the USA:

      My trust of why I wouldn’t want to use a payment card at a brick-and-mortar retailer has diminished by 29% now (breaches at Target, Home Depot, Kmart (Sears), Macy’s…) The brick-and-mortar retailers are not regaining my trust no matter what they have said (it’s not enough and hasn’t proved to be enough–My motto: “I don’t trust that you take your payment system security seriously”).

      Four of fourteen of the top retailers have been breached.
      4/14=29% breached.

      National Retail Federation: https://nrf.com/resources/top-retailers-list/top-100-retailers-2013 (position 3 breached, position 5 breached, position 13 breached, position 14 breached…) Stating this another way, based on 2013 USA retail sales, that’s the 1st and 3rd largest department stores (Macy’s and Sear’s Holdings), the 3rd largest mass merchant (Target), and the largest home improvement retailer (Home Depot).

  13. The link seems broken to “Beware Social Security Fraud.” Would you please restore?

    Thanks for spectacular reporting.

  14. Probably the same Russian gangsters responsible for all the previous POS poisoning attacks – using memory scraping malware. And, they probably got in through the POS vendor remote access. (weak or nonexistent password). Merchants, be vigilant with your vendors. Monitor their actions closely.

    Thanks Brian. You are indeed on the firing line. Keep up the great work.

  15. Free Credit Monitoring…..what a joke.

    Many of the incompetent top-tier corporate managers will draw huge bonuses at year’s end. Incompetence and stupidity pays well in the USA.

  16. Well kudos to Kmart for announcing it before getting the dreaded call from Brian, and not cover it up for 2 months like DQ did.

    Still, this makes a lot more work for me.

  17. Given the size of the companies which have been breached, the length of time breaches go on before detection, and the fact that they are companies that have far more ability to hire computer security personnel and far more likelihood of a pattern of credit card theft being detected, is it even remotely likely there are any POS systems that HAVEN’T been breached?

  18. It is also rather worrying that they have no support for secure renegotiation and only use RC4 in their TLS connections.

  19. Why just monitor your credit card statement monthly? Use a card that will send you an email for every purchase. This is very easy monitoring. So far the only one I have found is from BankAmerica and it does have a $1 minimum, but surely there are others that do it as well or better.

    • Ally (ally.com) has email alerts if the customer sets a threshold.

    • Chase also has configurable alerts.

      • The question on credit card alerts is how low they can be set.
        I want mine set at $1.00 or less. If someone tests the account with a small purchase, I want to know.

    • An email for every purchase sounds nice, but why consume bandwidth and time for something that could be prevented?

      The biggest threat of confidential consumer credentials being compromised is its increasing acceptance and commonplace and inevitable.

      It is not.

  20. Hmmn, makes me wonder how many smaller chains or even mom & pop stores are being breached that no one knows about. These large merchants have big IT departments that eventually detect a breach during a scan or audit. What if a small shop’s network is breached who doesn’t have a dedicated IT staff to detect a breach?

  21. Instances like this make my decision to use cash exclusively at retail, convenience stores and gas stations better and better with every breach that hits the news…

    • Good luck getting your cash back when your wallet gets stolen. The nice thing about using credit cards is that if they are stolen, it’s not your money and you don’t lose anything.

  22. The Human Defense

    All,
    We’re losing track, we’re running off in too many directions. All valid but confusing………..circle back to the true issue here. The point of intrusion to the point of the breach……the defense in depth model did not work…..why????? Because we’re all human and humans design all of these networks……the point of entry, donuts to dollars that point of entry was like walking up to an open door in any neighborhood in any city in any country…..then next issue was detection and what was happening at the POS or in this case, what was not happening…….

    Chip and PIN…..is this the silver bullet??? Lets not give ourselves and the public false hope….I watched a card hacker crack chip and PIN 4 years ago …….THERE IS NOT AND NEVER WILL BE A SILVER BULLET AGAINST FRAUD………….STOP TELLING PEOPLE THERE IS

    We can only delay the inevitable and manage the risk by mitigating as much risk as possible.

    My point, in summary is……..using many different techniques ….educating the consumers and employees in conjunction with technologies such as chip in PIN, tokens, and other tools we can keep them at bay and push them to some other vector of attack.

    As stated so well by the unbelievable young lady who won the Nobel Prize this week stated; “Alone, I can do nothing, but united….standing together the possibilities are limitless”

    The community on this blog is one of an amazing amount of brain power and resolution to pound these turds into the ground. I would love to see 50 or 60 of us sit in a room and build an alliance against these organized units of evil.

    Thank you for listening….and good luck

  23. They used the same PCI Assessor as Home Depot did… Is the assessor missing network segmentation issues or any other connection that might help other retailers? When Sears was implicated due to the common point of purchase overlap with the Home Depot breach they had to prove they weren’t affected. I wonder if this ‘red team’ excersice helped them react faster to the Kmart breach… It doesn’t seem like it went on as long as some others.

    • The Human Defense

      Does this really matter if the point of entry was the true vulnerability? No, not really. That’s like locking the screen door on your house, its a thin layer. My point is, that the Verizon DBIR has clearly shown, since it’s inception, the point of entry continues to be a non-technical hack and as simple as stolen or weak credentials. Lets focus on the real root cause instead of assessments, audits, and reports that still would have left a gap. I will eat my words if I am wrong, but I will not be wrong. The point of entry here will be an employee or employees creds at either the company breached or at the 3rd party POS provider (see Jimmy John).
      Technology is not a security solution, it is a human resolution. Resolve to the fact that humans are involved at every level.

  24. There is no way to eliminate fraud. It is simply too expensive and for most merchants and issuers it is more economical to eat fraud expenses than to spend money on eliminating fraud. If you want to eliminate fraud then bank’s would simply decline all transactions and force the customer to call to “activate” the account, the customer would then complete the purchase and the bank would deactivate the card. Of course you then need a fool proof authentication process for when the customer calls to make sure someone isn’t pretending to be the customer and you would need enough phone agents to be able to take the 10,000,000 (for the biggest banks) calls each day. But then we go back to economics. A system like that would cost hundreds if times more than what a bwnk experiences in fraud each year.

    Some people just neef to relax, fraud is an operating expense that all parties have accounted for. Peoole are already becoming less worried about it. Compare the fallout and outrage over the Target breach compared to Home Depot. I doubt the Home Depot CEO will step down over it. Pretty soon these breaches will just be business as usual. This is why I use my credit card 100% of the time. Why expose your own money with debit cards or cash if you can just play with the big evil bank’s money instead? They want you to spend spend spend and if you have fraud on your account they will usually credit the charges within 5-7 days along with a shiny new card to go spend spend spend.

    • The Human Defense

      Brown,
      I spent 18 years in the credit card industry, and your correct….they do set money aside fraud losses, but nothing like what the industry has been hit by in the last 12 months. I can tell you that there are already several community banks that have shut down or had to sell off their card base and only issue debit cards. The more fraud, the more cost to the consumer. Look what happened when home mortgage fraud ran out of control for almost 8 years…….trust me…..fraud at this level cannot be sustained for long in the current economic and political environment.
      That might even be the goal.

    • > There is no way to eliminate fraud.
      I used to write
      The worst thing about compromised information is its growing acceptance as commonplace

      I credit you with changing that to
      The worst thing about compromised information is its growing acceptance as inevitable.

      > It is simply too expensive and for most merchants and issuers
      The costs may come out of their pocket, but in the end WE consumers pay all the bills.

      > it is more economical to eat fraud expenses than to spend money on eliminating fraud.
      Your unsupported statement presupposes that fraud elimination is expensive. There is at least one way to make charge card information theft a value-less crime. It is cheap too.

      > If you want to eliminate fraud then bank’s would simply decline all transactions
      > and force the customer to call to “activate” the account, the customer
      > would then complete the purchase and the bank would deactivate the card.
      That just doubled (or tripled, depends on how you count) the communications sessions per transaction. It also changed my triple hot expresso into cold coffee with melted foam while I wait for those ahead of me to activate and deactivate. Transaction times need to decrease, not increase. You’re right though, that avenue might cost more than fraud.

      We must continue to fight crooks. “All that is necessary for the triumph of evil is that good men do nothing.” Edmund Burke or maybe John Stuart Mill.

      Read Sun Tzu. In Chapter 3 there is a section that can be translated a few different ways

      For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.

      Hence to fight and conquer in all your battles is not supreme excellence; supreme excellence consists in breaking the enemy’s resistance without fighting.

      The best victory is when the opponent surrenders of its own accord before there are any actual hostilities… It is best to win without fighting.

      The supreme excellence in war is to attack enemy’s plans (rather than the enemy). Remove their will to engage by making compromised information without value. Eliminating even the possibility of reward deprives the enemy of their will to engage. Win without an expensive conflict.

      There at least one way now, and maybe more later, but you sound like you’ve given up. To that I turn to some remembered from our history that we should remember, lest we repeat it (Santayana).

      Numquam cede, numquam succumbe. (Latine dictum sit altum videtur)

      “To strive, to seek, to find, and not to yield.” Alfred, Lord Tennyson

      “Never, never, never give up.” Winston Churchill

      and more recently

      “Never Give Up! Never Surrender” Commander Peter Quincy Taggart of the NSEA Protector

  25. With an increasing number of instances where AV is not being effective at all, why aren’t more of these retail chains deploying malware negation / secure desktop technologies?

    Locks down the OS/desktop to basis required functions & authorised apps, and renders malware inoperable?

    Have any of you guys worked with malware negation tech and could you name a couple?

    • How about using firmware to begin with, and I mean hardware that can’t just be flashed remotely? I’m talking about POS devices with systems.

      As far as ordinary desktop scenarios, the only thing that generally catches today’s malware, and possibly APTs are HIPs. Even a HIPS won’t catch session malware that don’t need to modify files, and possibly run with the same account privileges as the session user/environment.

      Seems like the easy way is to dump the session files between transactions, much like rebooting a LiveCD. Everything that isn’t installed already cannot survive a re-boot. This would include prevention of startup folder injection. Using a drive lock utility like steady state, is one good example. Many like virtual environments, but I see too many malware that are aware of VM, and can degrade that advantage, and eventually compromise it as well.

  26. It stands to reason that America’s largest retailer would be just as likely a target, if not more so, as K-Mart, Home Depot, Dairy Queen, Jimmy Johns, Goodwill, Target… I wonder if anyone has contacted them yet? Surely they have been checking, I would hope so anyways.

  27. I’m just shocked to find out that Kmart is still in business and people are still shopping there.

  28. To get a littke theoretical: I feel like we are on the brink of a new era. Instead of trying to increase security of credit/debit cards, I think we need to be looking to a whole new method of making cashless payments.

    To me, credit/debit cards are soon to be an antiqued. I don’t know for sure it will even be via the payment companies we’re used to (Visa, Mastercard, etc.), that’s all depenedent on their desire and ability to adapt to a changing market. In my opinion, we’re soon to see many new companies starting up with new payment processing ideas and through their innovations we will enact a new standard of technology which will in turn totally replace credit/debit cards just like credit/debit cards majorally replaced cash.

    I’ve seen it mentioned a few times and I think it is true. Someone has to pay for these types of incidents, and whether or not it’s cheaper than initiating an effort to better prevent it, the consumer will be responsible for the cost in the end (whether through checking account fees, credit card fees, what have you).

    Credit/debit cards were introduced and so made paying for things easier than cash. I think now the population is begging for something safer than credit/debit cards. Likely 50 years from now, we’ll be revisiting this exact same issue again, and so on.

    • More than a theory Jim!

      “Debit Cards” and “Credit Cards” are financial constructs defined well in laws and regulations. The physical cards are manifestations of those constructs. When you enter your charge card (either type) information into a web screen you’re still using the charge card construct, but not the physical manifestation.

      There is at least one construct of charge cards that stays within the rules, uses existing transaction and communications infrastructure but moves from more expensive locks to a concept change which makes stolen charge card information valueless. In the Art of War Chapter 3/#2, Sun Tzu wrote: “Hence to fight and conquer in all your battles is not supreme excellence; supreme excellence consists in breaking the enemy’s resistance without fighting.” Today we call that “psychological warfare” removing a crook’s motivation by taking away even the possibility of reward.

      Put as a:
       question: If crooks are going to crack the vault, why put jewels there in the first place?
       statement: What Merchant’s Don’t Have, Crooks Can’t Steal

      If the population is begging what is preventing adoption of a concept like that?

      Jonathan @nc3mobi

      See also:
      KOS October /2014/10/malware-based-credit-card-breach-at-kmart/comment-page-1/#comment-299887
      KOS January /2014/01/new-clues-in-the-target-breach/comment-page-1/#comment-226505

  29. I made an online purchase recently. I choose to pay upon pickup.
    Kmart has my email address as part of the online purchase process.

    Why have I not received some kind of email notification from them about this issue?

    • Possibly because any of the following:
      1) Your purchase date was ‘outside’ the affected time-frame.
      2) Your payment method was not one of those being hacked.
      3) The breach was well publicized so any sentient person would be aware of the security breach.
      4) K-Mart is notifying the various financial institutions who will then notify their customers.

  30. Im confused their offical letter states that debit cards and credit cards were not effected. “Based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by those criminally responsible. There is also no evidence that kmart.com customers were impacted. This data breach has been contained and the malware has been removed. I sincerely apologize for any inconvenience this may cause our members and customers.” This came from their website.

    • What about that statement that you pasted, Cupcake, says that debit and credit cards were not affected? You can lose credit/debit cards without also losing peoples’ personal information, if — as in this case — they only lost Track 2 data, which doesn’t include customer names. That Track 2 data does, however, contain enough information for the thieves to create counterfeit, physical copies of the cards.