There's no hope for our payment systems

There's no hope for our payment systems

Summary: The lesson of the Target payment card breach is that we'll never stop such attacks without an effective second factor, and that's going to be a tough sell.

TOPICS: Security

By all accounts, the recent breach of Target point of sale systems and the resulting exposure of tens of millions of credit card and other personal customer data was a sophisticated effort by an experienced criminal gang. And yet, in a sense, there's really nothing new or innovative about it. It may have been built with off-the-shelf malware components.

How mad should we get at Target and other large corporations that get breached in this way? Personally (and speaking as a regular Target customer) I'm somewhat mad at Target, but it's not like they're much less responsible than the rest of the world and it's not going to stop me from shopping there. Especially with 20-20 hindsight, surely there was more they could do, but the real problem is bigger than them. It's the fact that the US payments system demands such convenience that we'll never be able to stop these attacks.

If you're interested in a good description of the malware and who probably built it, read Brian Krebs's accounts: Part 1 and Part 2.

The only real mystery left, if I understand it correctly, is how the attackers executed their initial privileged penetration of the Target networks. They got to the point of being able to distribute memory-scraping malware to the point-of-sale systems in stores in order to capture credit card data as it was swiped at the machines. Here is a Symantec write up on what appears to be one of the point-of-sale malware samples.

From the write up we can tell that the malware required significant privileges on the PC/point-of-sale (POS) terminal, as the first thing it does on execution is to install a malicious service in the System32 directory and requisite registry keys in HKLM to run it. So already we know that the POS terminals are not as locked-down as they should be; even if the malware was undetectable by scanners at the time, the fact that a privileged program was pushed to all their terminals should register interest somewhere in their IT group.

Yes, it's possible that large corporations will allocate sufficient resources to securing their infrastructures properly in a way that will make these attacks far more difficult; it would be foolish to say they can be made impossible. I just don't expect this to happen. Best practices like principle of least privilege have been known for ages, and the Target breach is just more evidence that they are skirted regularly in the real world, usually because it's a pain in the butt to implement them correctly.

If we're going to make a real change in the security of our payment systems it's going to have to come with some other sort of change, and the only real candidate is a strong two factor authentication (2FA). The comparatively easy ways to do 2FA, like Chip and PIN, have their own vulnerabilities and it's not clear to me whether they would defeat POS-resident malware; if the Chip-PIN verification were done by the POS system then the malware can scrape the PIN as well. There are ways around this, such as doing the verification stage in hardware right in the reader. This still leaves the possibility of skimmers and keypad spies on those readers, but at least this isn't anywhere near as scalable as what the Target thieves did.

Getting Americans to use something like Chip and PIN would be really hard. It would require an enormous capital investment by retail businesses and banks and processors and create a large support burden. The better 2FA systems, which use one-time-codes delivered through a separate device, would be even harder to push through. And don't even think of suggesting biometrics!

This episode is another example of what seems to be a law of human nature: there is a general trade-off between security and convenience. The more security you want, the less convenience you can expect; the more convenience you want, the less security you can expect. You can't have it all. I saw this law exhibited in a display at the International Spy Museum in Washington, DC. It was said by a US General in 1954, well before there were cybersecurity issues.

At the International Spy Museum

Americans may demand both convenience and security, but while they know when things are inconvenient, they generally have no idea if they are secure. They can also kid themselves that a transaction is secure when it may very well not be.

This is where we ask the tough question: If we're not willing to do what it takes to secure our payment system, does that mean we have to be willing to put up with their vulnerabilities? Ooohh, there's an uncomfortable thought! But I do think this is the question we need to ask, and I don't expect us to ask it honestly. It's too unpleasant. 

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Cash

    plastic only when necessary
    that is how to protect yourself
    it is a pain to pay before you pump but you save a little money too
    • Perhaps ...

      One has to remember that carrying around a lot of cash brings its own risks. It tends to attract the wrong kind of people. Swipe a credit card when you buy that new TV and nobody pays much attention, but handing over a wad of $100 bills is a different story. You risk being cased and stalked. Everything in life carries risks, you just have to choose your poison.
      George Mitchell
      • OK, then, Cash and Checks

        I carry two to five hundred in cash and a couple checks in my wallet. The inconvenience of writing a check is minimal as purchases while out and about are rarely larger than my cash stash. I'm about done with this whole mess.
    • I'd rather have my wallet stolen with

      a few credit cards that I can have cancelled than with hundreds of dollars of cash in it.
    • FREE

      Avoid the whole payment fraud debacle and make everything FREE, problem solved.
      • lol

        lol, best idea yet! Now, if you'll excuse me, I'm heading down to the Ferrari dealership.
  • Least Priviledged Access

    You made the comment about least privileged access seen as a pain to implement by many. I used to think so too before I actually did it here. The amount of time it took to clean malware, deal with users installing applications not approved, etc, the effort to reduce privs on each workstation (through GPO mind you) was miniscule in comparison. So is the need to take on additional overhead at our help desk if something legit does need admin rights to change / install. If I were to guess, the principle of least privileged access here represents about 80+% of my effective threat mitigation.

    Of course, if your app developers do not code well for this environment and require admin rights to run, we will never win unless we scrap those solutions for more secure ones.

    That said, a POS system is in no way used like a workstation in an office, and I cannot fathom for the life of me why these would not be locked down by default. This is a big fail on their part.
    • Its windows...

      And you can't lock it down enough.

      Almost the only way this could have propagated so far is to hijack the update mechanism.
      • that's just not true

        Certainly since Vista it's been very possible to do. It's not easy in a complex environment, especially when software is written to use excessive privileges, but you can definitely lock down a Windows system through group policy so that it has no access to what it doesn't need, you can block off access to things like USB ports, you can do a lot.
        • Even Windows 2000 could be secured enough to prevent this

          They got owned due to lax systems and network security implementation. This was preventable and should have been detected and blocked even if they had insider help.
          • Depends...

            Depends just how "insider" the help was. Did the insider have Enterprise Admin credentials on the network? If so then you're going to have one heck of a tine stopping him.
        • You didn't pay attention.

          The attack is so widespread that it could not be carried out manually.

          It nearly had to be done via the update mechanism, and that cannot be blocked.

          USB ports do not work for a widespread attack like that.
  • Shouldn't the title of this article be

    Shouldn't the title of this article be " There's no hope for our Windows-based payment systems?
  • Security

    The reports seem to indicate the problem was indifferent security at Target and Nieman-Marcus that allowed access to the POS systems. Punishing customers at checkout seems to passing the buck from the responsible parties, the retailer, to the victims.
    • yep and yep

      Exactly, lax security of systems plus lax network security allowed the malware in and the pilfered data out.

      Agree that the proposed solution just punishes the consumer in addition to which research shows the process to have very minimal benefits and would not have prevented this leak although it would limit the usability after the fact.
  • Lose windows like it was 1999 !

    It is a SHAME that so many ATMs, POS systems actually run windows.
    • The problem runs deeper than that ...

      As one who has used desktop Linux for 15 years, I would agree, BUT, remember, Linux can be vulnerable to trojans as well. Also remember that a poorly administered Linux or Unix system is not a remedy for a poorly administered Windows system. For sure part of the problem are Windows vulns, but ONLY PART of the problem. So I am with you as regards for the need for more POS competition, but we need to be careful not to oversimplify it.
      George Mitchell
  • It has to be driven by the consumer

    If enough consumers stop shopping at retailers displaying these risks, they will get their IT departments in order. I recently had my account with a major tech retailer hacked. A fraudulant charge was authorized but never cleared. When I called the retailer about it, they told me they had already flagged it and blocked the charge. That is a retailer I will continue to do business with. But I will avoid retailers like Target due to the obvious risks involved with shopping there. If enough people take that approach, it will bring action on the part of the retailers to correct the problem. They will get much more careful on how they administer their systems and as to the vulnerabilities systems they choose in the first place. Beyond that there is little that can be done. It has to get bad enough to the point that consumers say no more. And personally, I have no problem with chip and pin, but even that is not a panacea. It doesn't solve the problem on the system side. If the bad guys can drop a trojan successfully, they can figure out a way to crack chip and pin as well.
    George Mitchell
    • Kind of the problem like who does not use this system

      How do you identify retailers "like" Target? One place we know that will get the twisted screw treatment is Target I suspect and how with nails. You know that this is par for the course as we all use the old familiar that is in everything everywhere.
  • Target Data Breach

    Where was the NSA on this type of thing? Are they seriously investigating law-abiding "Citizens" constantly on the 'Net and not watching for criminals? Shame on them.

    Another point is that 90% of this type of theft usually involves some kind of "Inside" resource. How did they install all that malware on all those POS systems without being detected? Very suspicious to me.