Same old Target: How retailers get hacked
The retail industry is a common target for hackers, mainly because that's where the money is. But as Sophos security expert James Lyne demonstrates, their defences are all too often easily exploitable.
How to hack your favourite retailer
SCMagazineUK.com met Lyne in central London towards the end of last month to demonstrate an array of attacks against retailers, from pilfering financial records by using a backdoor Remote Access Trojan (RAT) and malware against unidentified POS software running on Windows XP to cloning magnetic stripe credit cards, stealing Bitcoins and even spoofing credible websites like ‘Verified by Visa'.
The hour-long demonstration came at an interesting time; in the same week the British Retail Consortium had revealed that retail crime had reached an all-time high in 2013 to 2014, with fraud (including cyber-enabled fraud, which is being actively investigated by the Metropolitan Police's Falcon squad) increasing 12 percent year-on-year.
This study was only months after Sophos' own research indicated that retailers largely relied on dated security technologies like firewalls and anti-virus software. More worryingly still, 72 percent admitted they didn't implement basic encryption while a staggering 41 percent didn't even know why they implemented security controls.
Cloning a credit card
The first of Lyne's demonstrations was on cloning magnetic stripe (Magstripe) cards, the security of which has been a topic of discussion in the US ever since the Target breach which – according to Lyne – saw some Target cards being processed at Brazilian banks.
Unlike the UK, which has embraced EMV-compliant chip-and-pin cards, the US remains reliant on Magstripe cards, which leaves them vulnerable to cloning and other attacks.
Using his own credit card, a £150 magnetic stripe card reader and writer ordered on Amazon and “readily-available” open-source software (coupled with a Python interface he developed – but hasn't released) the SANS instructor was able to swipe the card, cache the first name, second name, expiry date and coded version for the start date, plus the bank identifier code which pinpoints who the card belongs too. “On non-EMV payment gateway that plus the signature is more than enough,” said Lyne.
SC swiped a credit card through, and copied the details onto a white blank card not dissimilar to a hotel key card. At this point, the researcher got an exact match on the data. “You cannot tell the difference, they are one for one – the same.”
“Here's the thing…this is old technology and in security and technology we know that Magstripe is old and clone-able but I think a lot of people are surprised that this kit is so readily available. I ordered this on Amazon and it arrived two days later – it's not some shady Polish cyber-criminal.”
The good news, for UK readers at least, is that chip and pin cards are less susceptible. Lyne could pick up “tons of data” about the card, but still needed the PIN number. He did say that these cards could be compromised via timing and duplication attacks, although this is “a lot harder.”
Lyne would later demonstrate a similar – if less profitable attack – against other loyalty cards of coffee shops and hotel key cards, which have little or no authentication of the user (he had even cloned his hotel card the night before). We tried to copy my work access pass, although this was somewhat more secure as it is a Mifare card (Lyne added that a £130 Proxmark kit should be able to crack it).
“There's basically no security to this stuff whatsoever, it's fairly horrible.”
Backdoors into POS
A more alarming and sophisticated attack saw Lyne ‘steal' credit card details from a retail POS system running on Windows XP – all the while operating on the internet.
For this, he used open-source software, a remote-access Trojan (RAT), customised malware and a phishing site.
The POS was tunnelling out of the network to a website, so Lyne jumped on the website's backdoor, and seeing that the card file was encrypted, stole the details recently processed from memory. All recent transactions – including CVV numbers and expiry dates - were copied in a one-time dump but he added that hackers could foreseeably live-stream each transaction if preferred.
This retailer would have been PCI compliant at the time, said Lyne, who said that you could steal “millions of cards ala Target in this way.” “It's a RAM Scraper if you will.”
Lyne did add that this attack could be thwarted by rebooting the PC, as the memory would be lost, but said that a 24-hour period would still be long enough for cyber-criminals to gather sensitive data and make some serious money.
It is worth noting that some POS vendors do encrypt their memory, so any attack like this would likely result in the hacker grabbing encrypted details. Target, however, used a solution that didn't encrypt memory.