It's likely Windows XP embedded, which doesn't enforce code signing.
I've worked around some Retalix (NCR) POS software (mentioned in the article, though in Canadian stores) and I can safely say that the security posture of the software of theirs that I've seen is simply horrible.
Perhaps Target has newer stuff than what I've worked with, but I'm talking about VB 6 code running in XP embedded using a "database" back-end that amounts to some Btrieve database files on an SMB share marked "Everyone / Full Control". Getting remote code execution on the POS machines would be trivial.
I was a contractor in Stores Dev at Target about 6 years ago, at that time the POS ran custom software running Win XP Embedded like the article mentioned. Most of the software was pretty ancient, the stuff I saw was first written in 1993.
In this context, is the POS device the cash register or the CC reader used by the customer? I was assuming it was the reader device they were referring to, but it seems like those would run software from the manufacturer, not Target.
I noticed that some Target stores have the Verifone MX925 [1] which seem to have been installed in the past year.
The POS systems that I've observed in a standard retail setting have three main components: the printer for receipts, the main terminal (POS system) in which items are scanned (which runs the Windows XP for POS), then the credit card reading machine for CC payment processing. So in this context, the POS device is the cash register.
The Verifone MX800 series, at least, can have Customer-supplied binaries installed. There's code-signing on the MX800-series devices, but I am aware of at least one version of the firmware that allows an attacker to get root access on the device pretty easily via the touchscreen UI and Ethernet port, assuming that default passwords aren't changed on the device.
you're probably right though it astounds me that this relationship would be bidirectional eg: web servers can make requests to individual stores.
Security implications aside if it was engineered that way it would make for highly variable response times and diminished reliability: not only would you have to make 50+ queries but those queries would have to be across a wan instead of being colocated.
I can't imagine that anyone would design a system in such a way. It would be far more likely that transaction data would be uploaded to a central database which tracks store inventory.
If I had to wager a guess, I'd say remote access for support purposes. The "web site" very well could have been something like a Citrix or Juniper remote access web interface.
Sadly, I think the only one who's going to benefit here are credit card companies. I can almost picture the "Theives are getting more sophisticated, we're getting more sophisticated than them with the new nano-carbon unobtanium mastercard" commercials.
I've had my card number fraudulently used twice via what I thought were reasonably safe websites with large volumes, SSL, etc. I've also had my card company call me a dozen times when I've bought large gifts or spent a few hundred dollars at a few stores in a row running errands a mile from home on a saturday morning. Perhaps some effort should be made towards better detecting true fraud at scale (i.e, "get rich quick" dvd's being purchased by a few hundred of your consumers in a short time) rather than what would be a typical IT dork's every so often spending spree before a holiday.
I got a data breach notification saying my data was compromised and here's your free monitoring blah blah blah. The thing is, I haven't physically been into a Target for over two years if memory serves, and last time I ordered online from Target was well before that.
I wonder if there's more that hasn't hit the news, or if Target figured better safe than sorry on the notifications.
16 comments
[ 5.5 ms ] story [ 44.1 ms ] threadActually, they have my sympathy. Somehow I doubt the POS OS does any sort of signature verification. We might see that soon, however!
I've worked around some Retalix (NCR) POS software (mentioned in the article, though in Canadian stores) and I can safely say that the security posture of the software of theirs that I've seen is simply horrible.
Perhaps Target has newer stuff than what I've worked with, but I'm talking about VB 6 code running in XP embedded using a "database" back-end that amounts to some Btrieve database files on an SMB share marked "Everyone / Full Control". Getting remote code execution on the POS machines would be trivial.
I noticed that some Target stores have the Verifone MX925 [1] which seem to have been installed in the past year.
[1] http://www.verifone.com/products/hardware/multimedia/mx-925/
But its probably for an "is it in stock in a store near me", which might by tied into the inventory/ pos system.
Security implications aside if it was engineered that way it would make for highly variable response times and diminished reliability: not only would you have to make 50+ queries but those queries would have to be across a wan instead of being colocated.
I've had my card number fraudulently used twice via what I thought were reasonably safe websites with large volumes, SSL, etc. I've also had my card company call me a dozen times when I've bought large gifts or spent a few hundred dollars at a few stores in a row running errands a mile from home on a saturday morning. Perhaps some effort should be made towards better detecting true fraud at scale (i.e, "get rich quick" dvd's being purchased by a few hundred of your consumers in a short time) rather than what would be a typical IT dork's every so often spending spree before a holiday.
I wonder if there's more that hasn't hit the news, or if Target figured better safe than sorry on the notifications.