boutons_deux
09-02-2014, 11:01 AM
While conducting a penetration test of a major Canadian retailer, Rob VandenBrink bought something from the store. He later found his own credit card number buried in its systems, a major worry.
The retailer, which has hundreds of stores across Canada, otherwise had rock-solid security and was compliant with the security guidelines known as the Payment Card Industry's Data Security Standards (PCI-DSS), said VandenBrink, a consultant with the IT services companyMetafore (http://www.metafore.ca/).
But a simple configuration error allowed him to gain remote access. From there, he found the retailer was vulnerable to the same problem that burned Target, Neiman Marcus, Michaels, UPS Store and others: card data stored in memory that is vulnerable to harvesting by malicious software.
The problem is growing worse. The U.S. Department of Homeland Security and Secret Service warned (http://www.pcworld.com/article/2598140/us-warns-significant-number-of-major-businesses-hit-by-backoff-malware.html) last month that upwards of 1,000 businesses may be infected by malware on their electronic cash registers, known in the industry as point-of-sale devices.
...
Merchants are under heavy pressure to handle card data right every time, all the time. The PCI Council advises that retailers can't just pass an annual audit and forget about it.
A main concern is that networks are modified over time, which could inadvertently create weak points for hackers to capitalize on.
That is exactly what happened with the Canadian retailer VandenBrink tested. The company had recently finished a hardware refresh and in the process left two open Internet-facing telnet and SSH ports, he said.
The ports were password protected, but using various techniques, VandenBrink eventually discovered the right passwords. That allowed him to get access to where the payment card data was held in memory, including his own.
"I was surprised," he said. "There were thousands of cards in memory."
http://www.itworld.com/security/434118/why-hackers-may-be-stealing-your-credit-card-numbers-years?source=ITWNLE_nlt_today_2014-09-02
telnet? serious sydadmins have had it turned off for years.
ssh? why facing internet and w/o a VPN?
fucking amazing incompetence. corps and finance sector bleeds customers to death with fees, shitty products, shittier customer service, and vulnerable IT systems because they value profits over EVERYTHING. Refusing to implement 40-year-old smart cards. Getting hacked is an acceptable operating cost.
The retailer, which has hundreds of stores across Canada, otherwise had rock-solid security and was compliant with the security guidelines known as the Payment Card Industry's Data Security Standards (PCI-DSS), said VandenBrink, a consultant with the IT services companyMetafore (http://www.metafore.ca/).
But a simple configuration error allowed him to gain remote access. From there, he found the retailer was vulnerable to the same problem that burned Target, Neiman Marcus, Michaels, UPS Store and others: card data stored in memory that is vulnerable to harvesting by malicious software.
The problem is growing worse. The U.S. Department of Homeland Security and Secret Service warned (http://www.pcworld.com/article/2598140/us-warns-significant-number-of-major-businesses-hit-by-backoff-malware.html) last month that upwards of 1,000 businesses may be infected by malware on their electronic cash registers, known in the industry as point-of-sale devices.
...
Merchants are under heavy pressure to handle card data right every time, all the time. The PCI Council advises that retailers can't just pass an annual audit and forget about it.
A main concern is that networks are modified over time, which could inadvertently create weak points for hackers to capitalize on.
That is exactly what happened with the Canadian retailer VandenBrink tested. The company had recently finished a hardware refresh and in the process left two open Internet-facing telnet and SSH ports, he said.
The ports were password protected, but using various techniques, VandenBrink eventually discovered the right passwords. That allowed him to get access to where the payment card data was held in memory, including his own.
"I was surprised," he said. "There were thousands of cards in memory."
http://www.itworld.com/security/434118/why-hackers-may-be-stealing-your-credit-card-numbers-years?source=ITWNLE_nlt_today_2014-09-02
telnet? serious sydadmins have had it turned off for years.
ssh? why facing internet and w/o a VPN?
fucking amazing incompetence. corps and finance sector bleeds customers to death with fees, shitty products, shittier customer service, and vulnerable IT systems because they value profits over EVERYTHING. Refusing to implement 40-year-old smart cards. Getting hacked is an acceptable operating cost.