Botnet of 20,000 point-of-sale machines


#1

[Permalink]


#2

I read about this the other day and suspect it may have infected our neighborhood grocery store. A whole slew of my neighbors had their credit cards compromised last month, all of whom used their cards at that store. At least one or two had their replacement cards compromised, too, sometimes within hours of using them for the first time (at the same store).

The store issued a vague apology and I noticed the other day that they had entirely new credit card machines at all their cash registers. I wonder who paid for it.


#3

“The botnet remained active at the time of writing and had compromised more than 20,000 payment cards since August”

Hmm. that’s cards, not machines. It’s still a huge problem.


#4

It begins.

Next generation: bogus card readers will sample your DNA.


#5

The vast majority of POS systems run on windows XP with no real virus protection and the ease-of-install of an antiquated unsecured system, so it’s no surprise that it’s easy to infect one with Malware. The interesting part is that it looks like someone managed to send updates to the swipe devices through the PCs. That’s the sophisticated part here, and it implies that the firmware is not secure.


#6

…because new hardware will totally solve a malware problem.


#7

It seems like it is becoming more and more dangerous to use a credit or debit card anywhere. Despite being careful- I average two card compromises a year. My bank has always been great about catching and resolving them, but still- it’s scary. I’m trying to switch to using cash again for as much as I can. The biggest pain is gas pumps- they are all pre-pay, and without a card- you often have to wait in often long lines at the convenience store, twice if you actually overpay so you can fill-up. Maybe they will eventually add cash readers and change systems like self-serve store checkouts to them?


#8

To be fair, the store manager’s letter was only vague in that it didn’t really explain what had happened. But it did say they were installing a new firewall on their network, stepping up encryption, and buying a remote “monitoring and support package” that includes monthly security checks (not sure how thorough of an audit that entails). So not just replacing the card readers. I’m pretty sure replacing the card readers also involves new software on the POS terminals themselves, since the old card readers required the POS terminals to spit out paper receipts for signatures, while the new ones collect signatures electronically.


#9

I fail to see the “danger” of using credit cards. Debit cards maybe, because if your account gets overdrawn it can cause cascading problems of bills not getting paid, etc. But the worst thing that happens when a credit card gets compromised is that I have to use a different account while waiting for a replacement card and then update my account number with a few recurring merchants.

Carrying cash is far more dangerous because you can actually lose it.


#10

Your Point-of-Sale machine is a P.O.S.


#11

I wonder if you could write the virus and encode it on a credit card? Person installing the virus swipes his first card with the virus on it when buying something, infecting the machine/system. Then when that card shows up as unreadable or rejected, completes the purchase with cash or a different real card. I’m pretty sure I remember reading about some security types writing a virus that can be stored on a RFID chip, so it’s got to be possible…


#12

I’ve been told that at one point many (most?) ATMs were running OS/2 because it was more secure/securable than WinXP. Gods know what they’re running now.


#13

Mag cards don’t store a lot of bytes; I’d be surprised if you could get much of a virus onto one.

They’re also fixed-format records, so I’d be surprised if there was any attack that could get code off of one and into execution.

Smartcards might or might not be more vulnerable. They have space to store a virus, certainly. But there’s still the problem of persuading the system to execute it.


#14

An ATM is not the same thing as a point of sale terminal. It’s not something you can check email on, and get a virus through bad security practices.


#15

Almost certainly not. you might be able to f*ck someone’s database ala something like the XKCD joke about ““johnny; {drop tables]””, but that should not infect the POS in any meaningful way.


#16

What probably happened was that someone sold them on an expensive “necessary” upgrade plus added services, yadda yadda. I expect they’re spending at least an extra 2 grand a year.


#17

Wasn’t saying it was; just commenting on the fact that some of the folks who have most reason to worry about someone tampering with the device have stayed surprisingly (and gratifyingly) Windows-resistant.


#18

Indeed, and now every time I see these sorts of things happening, I thank the NSA. I wonder if this has anything to do with the re-engineering of FLAME or STUXNET or components of either–specifically the part that fooled the windows update cert system?


#19

More a matter of stuxnet etc. having weaponized things that others were doing, than that others got anything from stuxnet, I’m sure.


#20

Not sure how to parse your comment. My original thought had to do with the transfer of hacking technology from extremely sophisticated state-supported groups that is eventually making its way in to the hands of less-sophisticated but equally criminal actors. STUXNET being the A.Q. Khan of the internet world, so to speak.
I wasn’t necessarily attempting to argue that stuxnet was the genesis of these types of attack, rather that someone reverse engineered some of its capabilities and has re-tuned those bits to go after POS machines.