http://techbeat.com/2014/01/programmer-claims-responsibility-malware-used-target-data-theft/

A programmer from Saratov, Russia, has claimed responsibility for arming the Kaptoxa malware used to steal personal details of about 110 million customers of the US retail chain Target and other stores.

In a recent interview with the Russian website lifenews.ru, Rinat Shabayev has admitted that he modified Kaptoxa (also known as BlackPOS), a tool that can be used to test computer systems for vulnerabilities. Apparently he later sold the malware on an open market, with the knowledge that it may be used for criminal purposes.

Shabayev says he never used Kaptoxa to steal data himself. He is currently looking for a well-paid job and has already received an offer. The story seems to side with with earlier reports that part of the Kaptoxa code was written in the Russian language.

http://techbeat.com/wp-content/uploads/2014/01/investing.com_-e1390423881819.jpg


According to Shabayev, Kaptoxa (Russian for potato, written in ‘volapuk’ code) was created for sale through subversive hacker communities. While working on a modification, the programmer known online as ‘ree4’ had collaborated with an anonymous partner whom he met online. The two people did not stay in touch and Shabayev says he doesn’t even know where the other contact resides.

Shabayev told lifenews.ru. “If the software is used with bad intentions, you can earn decent money, but that’s illegal. I didn’t want to do this kind of work, simply wrote it for sale, so I didn’t have to use it myself. Other people can use it, and it will be on their conscience.”

Between 27 November and 15 December, 40 million card details and 70 million personal records including names, mailing addresses and phone numbers of Target customers were compromised. The attack was specifically aimed at Point-Of-Sale (POS) payment systems.

To apologise, the retailer offered one year of free credit monitoring and identity theft protection to all guests who shopped in its US stores. Despite this gesture, multiple lawsuits have been filed across the United States by Target customers in regards to the information theft.

[Image via investing]

SOURCE: http://www.techweekeurope.co.uk/news/russian-programmer-claims-responsibility-malware-used-target-attack-136771

line item on the CV: 70 million shoppers compromised with my software.


“Trust in the Internet is declining as a result of data misuse, hacking and privacy intrusion,” said Axel Lehmann, Chief Risk Officer at Zurich Insurance Group.http://www.insurancejournal.com/news/international/2014/01/24/318372.htm

Some groups are beginning to wake up to the risks. AIG, the big US insurer, says that sales of “cyber insurance” surged (http://www.ft.com/intl/cms/s/0/94358fee-7d55-11e3-a48f-00144feabdc0.html) by a third last year over 2012. But far too many remain complacent – an Experian survey last year found that only 31 per cent of US companies are insured against a cyber attack. Only two-thirds of big companies surveyed by Kroll said they were investing in internet security, even though three-quarters acknowledged being vulnerable to hacking (http://www.ft.com/cms/s/0/cc62dc38-3759-11e3-9603-00144feab7de.html?siteedition=intl).

Target has already counted the cost in lost sales and alienated shoppers.

http://www.ft.com/cms/s/0/d01d564a-7f58-11e3-94d2-00144feabdc0.html#axzz2rPqZ9WXU


US CERT Warns About Point-of-Sale Malware (https://securityledger.com/2014/01/us-cert-warns-about-point-of-sale-malware/)

With news of the breach of big-box retailer Target Inc. still in the headlines, the U.S. Computer Emergency Readiness Team (CERT) issued a warning about the danger posed by malicious software targeting Point of Sale (POS) systems.

CERT issued an advisory (TA14-002A) (http://www.us-cert.gov/ncas/alerts/TA14-002A) on Thursday asking POS owners to take steps to secure the devices, and telling consumers to beware. The warning comes after a string of reports that suggest that malware attacking point of sale systems is on the rise.

Security experts have noted that POS systems often run versions of commercial operating systems like Windows :lol :lol :lol

and suffer from many of the same security woes as those systems, including exploitable software vulnerabilities (http://securityledger.com/category/threats/vulnerabilities/), weak authentication and susceptibility to physical tampering.

https://securityledger.com/2014/01/us-cert-warns-about-point-of-sale-malware/

So the cheap-ass corps aren't protecting themselves with insurance, and aren't protecting themselves from lost sales and their customers from data/money/TIME! lost by not using secure software at POS and not running hard-core firewalls at their networks edges.

The banks aren't protecting themselves and their customers by investing, after decades of use in Europe and elsewhere, of smart cards with embedded chips, encryption


"(smart card) Invention

In 1968 and 1969 German (http://en.wikipedia.org/wiki/Germany) electrical engineers Helmut Gröttrup (http://en.wikipedia.org/wiki/Helmut_Gr%C3%B6ttrup) and Jürgen Dethloff (http://en.wikipedia.org/wiki/J%C3%BCrgen_Dethloff) jointly filed patents for the automated chip card (for details see page of Helmut Gröttrup (http://en.wikipedia.org/wiki/Helmut_Gr%C3%B6ttrup)). French inventor Roland Moreno (http://en.wikipedia.org/wiki/Roland_Moreno)[3] (http://en.wikipedia.org/wiki/Smart_card#cite_note-3) patented the memory card concept[4] (http://en.wikipedia.org/wiki/Smart_card#cite_note-cwhrmoreno-4) in 1974.

An important patent for smart cards with a microprocessor and memory as used today was filed by Jürgen Dethloff (http://en.wikipedia.org/wiki/J%C3%BCrgen_Dethloff) in 1976 and granted as USP 4105156 in 1978.[5] (http://en.wikipedia.org/wiki/Smart_card#cite_note-5)

In 1977, Michel Ugon from Honeywell Bull (http://en.wikipedia.org/wiki/Groupe_Bull) invented the first microprocessor smart card.

In 1978, Bull patented the SPOM (self-programmable one-chip microcomputer) that defines the necessary architecture to program the chip.

Three years later, Motorola (http://en.wikipedia.org/wiki/Motorola) used this patent in its "CP8".

At that time, Bull had 1,200 patents related to smart cards. In 2001, Bull sold its CP8 division together with its patents to Schlumberger, who subsequently combined its own internal smart card department and CP8 to create Axalto.

In 2006,Axalto (http://en.wikipedia.org/wiki/Axalto) and Gemplus, at the time the world's top two smart card manufacturers, merged and became Gemalto (http://en.wikipedia.org/wiki/Gemalto).

In 2008 Dexa Systems (http://en.wikipedia.org/w/index.php?title=Dexa_Systems&action=edit&redlink=1) spun off from Schlumberger (http://en.wikipedia.org/wiki/Schlumberger) and acquired Enterprise Security Services business, which included the smart card solutions division responsible for deploying the first large scale public key infrastructure (http://en.wikipedia.org/wiki/Public_key_infrastructure) (PKI) based smart card management systems.

The first mass use of the cards was as a telephone card (http://en.wikipedia.org/wiki/Telephone_card) for payment in French pay phones (http://en.wikipedia.org/wiki/Payphone), starting in 1983." <<<<<<<<<<<<<<<<<<<<<<<

http://en.wikipedia.org/wiki/Smart_card

So Rummy's Old Europe beat the shit out of USA in this technology. No doubt, there's NIH resistance by US banks to using smartcard technology. They are the captive of their shitty, easily, widely forged magnetic card stripe cards. smartcards have both embedded processor and mag stripe.

Visa CFO: 'Quite a bit of investment' needed to install chip technology

Visa's chief financial officer said that securing retail point-of-sale infrastructure will take a hefty investment, chips on credit cards are critical and better encryption may be the fastest way to secure transactions.

Byron Pollitt, CFO of Visa, said at the Morgan Stanley Technology Media & Telecom conference that cybersecurity is the No. 1 topic in the payment ecosystem following the widely publicized data breaches at Target. Target CIO Beth Jacob resigned on Wednesday.

Pollitt characterized security as a never-ending investment cycle for retailers. In the near term, Pollitt said Visa will be "pushing more in the encryption activity. Encryption that goes beyond the minimum required to be PCI compliant."

Why? Better encryption could be implemented the fastest. So-called chip and PIN technology is also critical, but will take more time to implement, he said. EMV (Europay, Mastercard, Visa) puts chips on cards and makes them harder to counterfeit. About 70 percent of fraud revolves around the magnetic stripe on credit cards.

Pollitt said:

When you have a high penetration of chip cards and merchants with chip readers and you have replaced the magstripe, you have replaced the primary driver of counterfeit.


However, Visa's take is a bit more nuanced. Pollitt said he wasn't sold on PINs.

Our view is it is chip and choice, and that PIN could well be a red herring here because two-thirds of the retailers in the United States do not have a PIN pad with their POS terminal, two-thirds.
And so if PIN were to be included as a fix at the same time, in our view, it would dramatically slow the rollout of EMV, which is chip, and chip is what gets you to 70 percent of the fraud. The lost and stolen is addressed by PIN.

And there are lot of other issues with PIN. But given the catalyst of the Target breach, the urgency that the industry feels now to take action to get fraud levels down, chip is the horse that will win the race if we let it run as fast as it can. And that means keep focused on chip, get the chip readers in place, get the cards replaced with chip and get that foundation in. And at that point we should have substantially dealt with the primary cause of fraud at the physical point of sale.


Chip infrastructure can and should be rolled out, but it'll take "quite a bit of investment" to make EMV the norm in the U.S., said Pollitt, who added most retailers will have to upgrade their terminals.

He said:

These terminals are going to have to be replaced, which means investment. And then if you were to look in your wallet I strongly suspect you might have one card with a chip on it, some of you will have none.

So all of these cards are going to have to be reissued with chips and so that's an issuer cost. The retailers and/or the acquirers are going to be investing in the chip terminals. A lot of software work to make sure that all this happens.


Pollitt also noted that the investment cycle against fraud can't end because cybercrime just moves to the next weakest link. Better encryption and chips can be deployed and PINs will be targeted. "You invest, you strengthen and then fraud moves," he said. "The resourcefulness, the intellect, the level of innovativeness in the fraud sector is absolutely amazing. I don't know where their Silicon Valley is. I think it moves. But it is just a proposition that will never end."

http://www.zdnet.com/visa-cfo-quite-a-bit-of-investment-needed-to-install-chip-technology-7000027067/#ftag=RSS14dc6a9

"just a proposition that will never end" so VISA+banks CARTEL admit they can't win, so the don't even fight?

rather than spend the $Bs to protect their card holders, they prefer to let their card holders get ripped off and spend hours,days, months getting their money back, if ever. Old Europe has had smart cards for decades.

aka "shittiest possible product for the highest possible price"

Invention[edit (http://en.wikipedia.org/w/index.php?title=Smart_card&action=edit&section=2)]


In 1968 and 1969 German (http://en.wikipedia.org/wiki/Germany) electrical engineers Helmut Gröttrup (http://en.wikipedia.org/wiki/Helmut_Gr%C3%B6ttrup) and Jürgen Dethloff (http://en.wikipedia.org/wiki/J%C3%BCrgen_Dethloff) jointly filed patents for the automated chip card (for details see page of Helmut Gröttrup (http://en.wikipedia.org/wiki/Helmut_Gr%C3%B6ttrup)).

French inventor Roland Moreno (http://en.wikipedia.org/wiki/Roland_Moreno)[3] (http://en.wikipedia.org/wiki/Smartcard#cite_note-3) patented the memory card concept[4] (http://en.wikipedia.org/wiki/Smartcard#cite_note-cwhrmoreno-4) in 1974.

An important patent for smart cards with a microprocessor and memory as used today was filed by Jürgen Dethloff (http://en.wikipedia.org/wiki/J%C3%BCrgen_Dethloff) in 1976 and granted as USP 4105156 in 1978.[5] (http://en.wikipedia.org/wiki/Smartcard#cite_note-5)

In 1977, Michel Ugon from Honeywell Bull (http://en.wikipedia.org/wiki/Groupe_Bull) invented the first microprocessor smart card. In 1978, Bull patented the SPOM (self-programmable one-chip microcomputer) that defines the necessary architecture to program the chip.

Three years later, Motorola (http://en.wikipedia.org/wiki/Motorola) used this patent in its "CP8".

At that time, Bull had 1,200 patents related to smart cards. In 2001, Bull sold its CP8 division together with its patents to Schlumberger, who subsequently combined its own internal smart card department and CP8 to create Axalto.

In 2006,Axalto (http://en.wikipedia.org/wiki/Axalto) and Gemplus, at the time the world's top two smart card manufacturers, merged and became Gemalto (http://en.wikipedia.org/wiki/Gemalto).

In 2008 Dexa Systems (http://en.wikipedia.org/w/index.php?title=Dexa_Systems&action=edit&redlink=1) spun off from Schlumberger (http://en.wikipedia.org/wiki/Schlumberger) and acquired Enterprise Security Services business, which included the smart card solutions division responsible for deploying the first large scale public key infrastructure (http://en.wikipedia.org/wiki/Public_key_infrastructure) (PKI) based smart card management systems.

The first mass use of the cards was as a telephone card (http://en.wikipedia.org/wiki/Telephone_card) for payment in French pay phones (http://en.wikipedia.org/wiki/Payphone), starting in 1983

http://en.wikipedia.org/wiki/Smartcard#History

Target's CIO or something resigned this week. Target, even w/o smartcards, was running wide open.

btw, VISA cards in Europe are smartcards.

MasterCard, Visa Team Up To Improve Payment Security

Credit-card rivals Visa and MasterCard said Friday they have formed an industry-wide group aimed at improving payment security in the wake of a number of breaches that compromised customers' data.

"The recent high-profile breaches have served as a catalyst for much needed collaboration between the retail and financial services industry on the issue of payment security," Visa President Ryan McInerney said in the statement.

According to Reuters:

"The new group, which will include banks, credit unions, retailers and industry trade groups, will initially focus on the adoption of the safer 'EMV' chip technology in the United States, MasterCard and Visa said on Friday."

"EMV chip technology, already used in Europe and Asia, stores information on computer chips rather than on traditional magnetic strips. EMV stands for Europay, MasterCard and Visa, the companies that launched the technology."


As we have reported in recent months, both said in 2012 that they had experienced problems with third-party providers. High-profile customer data compromises occurred later at , , and The Wall Street Journal writes:

"The events have ... reignited bickering between retailers and financial institutions, who have accused each other of dragging their feet on adopting technology that could limit the impact of data breaches."

"'Only through industry collaboration and cooperation will we address the real and immediate issue of security,' Chris McWilton, president of North American Markets for MasterCard, said in a statement."


that the move away from magnetic stripe technology toward the EMV chips had reached a tipping point in recent months:

"Industry leaders know magnetic stripes are outdated and easily exploitable. The rest of the world moved on to a more secure, harder-to-hack payment system based on chip-enabled cards — chip and PIN. Chip-enabled cards are more secure because the data on the chip are hidden behind encryption. So even if criminals intercept what's on it, they can't reuse it."


http://www.npr.org/blogs/thetwo-way/2014/03/07/287289683/mastercard-visa-team-up-to-improve-payment-security?sc=17&f=1001

We'll see how much cost the bank cartel dumps on retailers.