44 comments

[ 5.2 ms ] story [ 90.0 ms ] thread
(comment deleted)
Prolexic hosts this site which has for some reason kills connections from my entire IP address range (residential DSL).

Wonder what one of my IPv4 neighbors did to piss them off.

Considering how expensive point-of-sale systems are, I'm not surprised that these systems are running old, vulnerable software. Heck, there are still ATMs running OS/2 Warp in the United States; the only reason people don't hack those is because it's so obscure.

My father still uses a small pre-computer cash register to this day; I've had no luck convincing him to buy a new computerized one so he can accept credit cards.

I'm surprised these PoS systems aren't managed with automatic updates, since the merchant service providers (along with the banks) are usually the ones losing money if they get hit with chargebacks.
In europe typical deployment solves this problem (EMV is quite orthogonal to this) by the fact that card data does not touch the PoS system itself. In fact any other approach is not feasible as PoS systems themselves are invariably horrible mess of accumulated kludges and backward compatibility restrictions. And there are quite powerful economic incentives to keep this state of things. Security-wise this is one of the few situations where semi-air-gapped network makes sense (for the PoS part, with card terminals having their separate network).
> I've had no luck convincing him to buy a new computerized one so he can accept credit cards

You can still accept credit cards without a new register. It's just a different machine. They don't have to be integrated.

Almost every single doctor's office accepts credit card and exactly NONE of them have a register.

The way it works is you charge the card on a separate machine, type in the total, have them sign and put the slip somewhere and press "paid with credit" on the register if it is computerized or if it isn't then just ignore the register for that transaction.

One of the most striking things to me is this sentence: "Trustwave and other companies that get hired to investigate breaches involving card data is that far too many point-of-sale breaches start when the thieves abuse some kind of remote access tool installed on the point-of-sale device itself."

We have an incredibly secure and successful piece of remote access software (ssh) that is used on billions of computers and yet that sentence exists. It seems that sometimes it's not just an engineering problem.

SSH is no better than some random Windows-based remote admin tool if the same default password is used.
Ah yes of course, and the portion that I quoted didn't include this tidbit which I guess is what I was actually thinking about: “What the investigators we’ve worked with so far have been able to gather is that [the thieves] were exploiting not the pcAnywhere credentials, but a flaw in old versions of pcAnywhere,”

Then again old versions of SSH are probably equally vulnerable.

It would seem that there is no substitute for having a real root who has responsibility for the system, though perhaps the comment from nuxi7 is a simple way to engineer around part of the problem. Sane defaults or in this case an explicit lack of defaults could be useful.

Well, it is better, since SSH doesn't come with a default password, and you can disable the use of passwords in SSHD.
I get the low level carders (or whatever you call them -- the folks buying card data and attempting to steal goods with it). If you're stealing $500 worth of gift cards at a time, it's not like you have many life alternatives.

But somewhere there's a series of folks that (1) engineered a symantec breach; (2) someone else either knew #1 or figured out how to get their hands on source; (3) security audited said source; (4) scanned the internet to find vulnerable servers; (5) pulled cards off those servers, and (6) sold them. It seems like there's more than enough technical knowhow here that these folks should be able to get software or security jobs, no? It doesn't seem like the card thieves make so much money that the reward / federal pound-me-in-the-ass prison ratio skews far enough.

And the more I read krebs, the more I think I should get a $2k limit credit card and use it for all purchases that aren't on amazon.

That assumes that the people doing all of this are located somewhere where better paying legitimate jobs are easy to come by. They usually aren't.
even if they don't, they seem like they have enough technical chops that said jobs would find them...
Some people just enjoy being the other side of the fence. Think how many hackers do similar work 'for free' without being able to turn their hacks into cash. I guess many of this people also get a kick out of taking on something so huge and powerful and 'winning'.
> they seem like they have enough technical chops that said jobs would find them...

In my experience, jobs don't find you. By what mechanism do you think this would happen?

That depends on your exposure to people interested in you working for them. It's certain that when you are well connected jobs just find you. On the other hand it is imaginable that for many people in computer security most "jobs that find them" are not exactly ethical.

While I would not exactly position myself into computer security, I've got my share of borderline black-hat offers, although in all cases the other party believed that what they are doing is perfectly legal.

they probably don't have a degree and unfortunately in most places across the east coast, a 4 yr degree is a prerequisite
Not so sure about that. I don't have a degree, and (almost) every company I've worked for (includes engineering roles at EDS, Microsoft and Nokia) said in their job specs that they absolutely require degrees. I ignore that requirement and let my resume speak for me. It works.
The problem is getting the resume in the first place. Not that it excuses the theft, I'm just saying that companies that accept GitHub accounts as a substitute for working experience can be hard to find.
"(3) security audited said source;"

You mean found the default credentials? That doesn't take much.

"And the more I read krebs, the more I think I should get a $2k limit credit card and use it for all purchases that aren't on amazon."

Let me repeat my advocacy of the virtues of cash for face to face transactions. I normally carry a bit over $400 in my wallet, and almost always use cash for everything up to, say, $800, and around or above that, a check if I can.

Also rewards the retailer with the 2-3% or so in processing charges they'd otherwise have to pay.

I generally agree, but if the retailer is large enough they almost certainly pay a percentage of their cash payments to a Brinks-like company to securely handle the transfer of the money.
And if they aren't large enough, they pay with their time.
But at least in the latter case, not incrementally by much for my cash purchase. Every cash purchase does require a bit more work in counting the bills, but the time to deposit the cash doesn't change if it's to a night depository, and again just a little if face to face with a teller.

Unless the purchase is small, there's also a time cost in getting the signature, although that's small if the company is big enough to collect it with their POS terminal, and there's also back end reconciliation work to be done, manually if the place is small, like a non-chain restaurant.

No payment method is free of overhead and friction.

Cash means having to carry cash, count change, reorganize bills, so on and so forth. Checks mean having to write checks and earning the everlasting (and justified) emnity of everyone behind you in line because you're wasting their time.

Credit cards mean a swipe (debit cards add a PIN, oh noes) and indemnity against the fraud that occasionally blows up.

Cash loses. Checks lose hard.

Checks are only for big purchases, with vendors who know me well. Last was in 2008, for a washer and dryer bought from a GE dealership who's building was purchased from my family decades ago.

If there's a potential for a line, or a vendor who doesn't know me from Adam, as when I bought a water softener, I do use a credit card.

I personally think the overhead for routine use of cash is roughly equivalent to routinely using a credit or debit card, e.g. I don't have to keep track of all those purchases to reconcile them with my monthly statement. Carrying cash is no problem, counting change ... well, I grew up before credit card usage was routine, so it's second nature, and reorganizing the bills etc. takes very little time. It helps that I have a standard load out that's makes refreshing my wallet easy, as well as making change, at least half the time I provide exact change, or an amount that makes my return change easy. Doing the mental math also has its advantages.

Don't know how I've managed it, but I've never needed to do a charge back in 31 years of using credit cards. Certainly there's not much potential for fraud in my face to face translations.

My youngest bother and his wife used to regularly shop at Target; that turned out be a significant hassle due to the recent breach. Hmmm, and only I can quantify the value of increased peace of mind by limiting my exposure to credit card fraud.

Credit and debit cards also "lose".

I think the counting cash is more on the merchant side. Managing, securing and depositing cash in your account isn't free(and the cost does often change with the amount).

The fact that you haven't needed to do a chargeback doesn't mean you haven't benefited from the existence of them. The fear of a chargeback forces merchants to act in your best interest.

What hassle did your brother experience with the breach did he not just have a replacement card mailed out?

The details of the hassle weren't mentioned, but if one of mine was breached there would be accounts charging recurring payments that would need the new numbers.

It also took a long while for the breach to be realized, they might have had issues with bogus charges on their cards. And it would be at least two cards, one each for him and his wife.

Credit card companies now a days tend to keep the existing recurring payments going even when they cancel your card for these types of reasons up until it would normally expire so thats not a real problem any more.

If they had bogus charges it would have been dealt with the same as any credit card fraud. They would sign a statement that they didn't make the charges. The funds would be reversed and they'd be sent new cards.

The fact that they know its related to Target means they probably didn't have those issues.

How do you know they don't already work in computer security? People are greedy.
"Chaves said the store owners told him the devices had remote access via Symantec’s pcAnywhere enabled, access that was granted to anyone knew the same set of default credentials."

Maybe its because The Cuckoo's Egg is what got me into this field, but I cringe everytime I hear this. Its 25 years later and we are still getting breaches based upon using default credentials.

This isn't even a hard problem to solve, you have three options: 1. Do not have a default password and prompt the user for one during setup. 2. Do not have the same default on every device, create it automagically from a serial number or something. 3. Have the system be unusable for the intended purpose until the default password is changed.

A lot of these default passwords on non-consumer devices aren't user admin accounts but tech support accounts. So #1 and #3 don't work, because the user doesn't get the password.

But there is also a 4th option, the user somehow enables the support account.

“The clerk told me they would come into the store in pairs, using multiple credit cards until one of them was finally approved, at which point they’d buy $500 each in prepaid gift cards,”

"We have two Family Dollar stores in Everett and a bunch in the surrounding area, and these guys would come in three to four times a week at each location, laundering money from stolen cards"

You would have thought they would report them.

You might think, but a few years ago, but when credit was crazy cheap in the UK and they were just throwing credit cards at people, I had friends who would go through this process each time they were picking up a bar tab. The credit card company won't let you go over your limit and don't forget just a few years ago there was no easy way to check your limit other than waiting for the bill or calling the company.

I wouldn't be surprised if many people in the service industries still see this type of multi card roulette daily.

I can imagine if the clerk did report his concerns, he'd likely be told they were good customers so why rock the boat....

> I can imagine if the clerk did report his concerns, he'd likely be told they were good customers so why rock the boat....

Isn't the merchant liable for the chargebacks? Or in this case, who was footing the bill for this fraud?

The merchant may be liable - but the minimum wage clerk...?
Minimum wage clerk is not liable due to many laws that protect employees from wage abuse without a judgement in court[1] but they can surely get fired for negligence in reporting suspicious activity.

[1] http://www.seyfarth.com/dir_docs/publications/NEHT01120810.p...

>As a practical matter, the Court’s decision means that employers can- not safely take deductions for theft or damage to property unless fault and value have been determined by a court of law or government agency.

The bank, most likely, or their insurance provider. Deoending on US law (which protects people less than the UK AFAICT) the customer may have some liability. But basically the bank OK'd the transactions so it's on them.

Of course if it's that frickin' obvious what's going on then the merchant will find themselves under review and saddled with much higher fees after a while.

>I wouldn't be surprised if many people in the service industries still see this type of multi card roulette daily.

Worked as a cashier about 10ish years ago. Never once saw multi card roulette.

Of course once in a while some people would say "20 on this card and 10 in cash." Never seen it with more than one card though. I almost never saw people get declined, I think it happened like 5 times total. It would be highly suspicious to me, especially coming from the same person!

Yeah, but this was a "dollar store", which in the US typically exist to serve low-income areas. Unfortunately, "snitches get stitches" is a pretty common attitude in these areas. Source: years living in said areas.
Credit card numbers aren't particularly secret (if you think of all the retail staff online, on the phone and offline) that have access to them. The thing that manages fraud and keeps the value of card numbers down is the difficulty in converting card numbers to cash or goods safely and anonymously.

I'm slightly surprised that the gift cards scheme works as I don't see why there couldn't be a revocation list for gift cards circulated amongst stores that is added to when a chargeback occurs. Even if it doesn't it still exposes the criminal when buying the gift card.

Security of credit card industry is built not on hard computer security principles but on auditing and ability to point fingers. This breaks with enough levels of indirection and gift cards add such additional level of indirection.

Also gift cards have secondary (and probably more important) use for thieves. Giftcard is legitimately looking magstripe card that in many cases gets processed in same way as card payment, so you can just write stolen magstripe data onto giftcard and get something that does not raise suspicion (store clerk is not going to verify that card number matches or event that payment method matches).

Given how easy it is to buy stolen cards, encode them onto gift cards and then use those cards to buy goods in big-box stores that can be easily resold for cash, Lavey said he wonders why old-fashioned bank robberies are still a problem.

EMV.

I know it's far from perfect, but it raises the bar considerably. You can't just clone EMV cards that way. The USA really ought to try to catch up with the rest of the world on this front.