Kmart Says Its Payment System Was Hacked

wiredmikey writes Kmart is the latest large U.S. retailer to experience a breach of its payment systems, joining a fast growing club dealing successful hack attacks. The company said that on Thursday, Oct. 9, its IT team detected that its payment data systems had been breached, and that debit and credit card numbers appear to have been compromised. A company spokesperson told SecurityWeek that they are not able to provide a figure on the number of customers impacted. The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers.

social security? wtf

[Spy Handler]

why would Kmart even have your social security number?

Re:social security? wtf

[MasterOfGoingFaster]

why would Kmart even have your social security number?

Uh... Employees?

Re:

[Anonymous Coward]

Kmart credit cards?

Re:

[retroworks]

FTFA "The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers."

Re:

[Anonymous Coward]

FTFA "The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers."

Must be trure, if a spokesperson said it was.

Re: social security? wtf

[EthanV2]

I'd like to know what has actually been leaked, since everything in that list is generally stuff that would be leaked in a breach of a payment system.

Re:

[Vellmont]

Most stores these days have their own store credit cards. To apply for them you give them your SS#.

Re:

[lister king of smeg]

why would Kmart even have your social security number?

Because they ask for it to look up your Sears credit card if you don't have it with you. Yes it is stupid

Re: social security? wtf

[bill_mcgonigle]

If you even go in to buy a candy bar they will ask you to apply for a credit card at the register. Even if you are eleven years old (happened to my daughter last week). Then they give you seven feet of receipt material with coupons, surveys, and a copy of the Magna Carta.

They are so going out of business. I would be short on the stock.

Re:

[JWSmythe]

That's pretty much what I was thinking. I thought they had all closed a few years ago.

So this affects...

[BUL2294]

...nobody.

Re:

[Anonymous Coward]

So this affects nobody.

Not quite. I have elderly relatives that live in a rural area that, for some reason, only has a K-Mart. No Target, no Wal-Mart, and very little by way of decent local shopping. The closest Wal-Mart is almost an hour's drive away, and Target is closer to two, so if you live there and want something that isn't groceries, you basically have no choice but to go to K-Mart. (As you might expect, it's a piss-poor example of a store, because there's absolutely no reason to care. It's not like the shoppers have

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Tablizer]

Blue Screen Special

Re:

[NotQuiteReal]

umm... the color blue? Loose associations come easily to those who drink-n-post.

Re:

[plover]

"ATTENTION K-MART HACKERS!

We have a special deal for you under the flashing blue screen. Credit card numbers, all you can stuff in a ZIP file. The blue screen will only be there for the next month or so, so hurry on over and check out the checkouts."

It would be quicker

[Coditor]

to list who hasn't been hacked yet. I wonder if these big companies buy their security systems at K-Mart.

almost said my company, would be a Target

[raymorris]

I almost mentioned the name of my company as the one that hasn't been hacked. We take security very seriously. No Microsoft products are allowed on the premises, employees are armed, etc.

Then I realized posting that could make us a Target.

Re:

[Gazzonyx]

I almost mentioned the name of my company as the one that hasn't been hacked. We take security very seriously. No Microsoft products are allowed on the premises, employees are armed, etc.

Then I realized posting that could make us a Target.

Well played, sir. Well played.

Officials estimates losses

[jpellino]

in the dozens of dollars.

Also at krebsonsecuritycom

[manu0601]

Brian Krebs covered it too: http://krebsonsecurity.com/2014/10/malware-based-credit-card-breach-at-kmart/ [krebsonsecurity.com]

hacking-envy

[turkeydance]

if your company hasn't been hacked...well, that sucks for you.

Does K-Mart use the same stuff as Sears?

[mlts]

Sears, last time I checked was a definite IBM AIX shop with the point of sale terminals being a tad more than IBM 3151 VTs, except with a credit scanner and cash drawer. Is K-Mart on a different system, or do both Sears and K-Mart use the same POS these days?

Malware on Windows is one thing... nailing AIX systems actually would be an accomplishment.

Re:

[ArchieBunker]

Kmart has newer registers but the screen where you swipe credit cards looks like OS/2 or Win 3.1 judging by the hourglass displayed.

Re:

[execthis]

Based on what the article says about what happened - that it was actual POS malware - I still am not able to figure out a methodology that would enable such an attack to work.

Let's say someone manages to put malware on a POS device. Ok. But now how would that malware be able to communicate any information to the thieves? I cannot imagine that the POS device is just sitting on the 'net without a strict firewall in front of it allowing it access to one - and only one - address: that of the company that pro

Re:

[plover]

While it's possible (unlikely in these days of PCI) that a POS register could have a direct route to the internet, it's also likely that the registers weren't the only machines in their system that were hacked. It is probable that the criminals found a little-used server in K-Mart's HQ systems, compromised it, and set up what's called a "dump site." The registers are then configured to exfiltrate their data to this internal HQ server, perhaps by periodic FTP, and the hackers had the HQ server send batches

Re:

[execthis]

I was thinking that the only possibilities for the theft to happen would have to be either a) there's an administrative access to the POS systems which was breached, kind of similar to what you are saying; or b) there's some manipulation of the physical infrastructre at (a) store(s) in addition to POS malware. For example some malicious host could be inserted in the pathway of communication of the POS systems. My guess is that that isn't too likely.

More likely is something like a), or what you suggest. T

Re:

[Anonymous Coward]

It would be an accomplishment. Mainframe OSes, AIX, and Solaris have an impeccable record for security these days (before 2000, different story, as Sun was often bashed... but with MS as the absolute focus for the bad guys with OS X and Linux trailing), hacking an AIX box is a lot more difficult than Windows.

1: AIX has trustchk. If the executable isn't signed, it doesn't run. Linux doesn't have this functionality, and has to be done in userland. Even modified libraries won't load. Of course, this func

My shopping is becoming limited

[Anonymous Coward]

As an IT security guy, I really find all these cracks disheartening. I guess the IT staff at these places don't really understand that security is a process, not a product. You cannot throw up a router with some ACLs and firewall or two and expect to be secure. Neither can you not make constant audits of your backend payment systems and expect security.

I've already stopped shopping at Target permanently because of their debacle. I stopped shopping at Walmart this week due to their cancelling health benefits

Re:

[ArcadeMan]

Can't you pay with regular, non-computerized cash?

Re:

[RussR42]

You could try. But if the police see you with cash, they'll take it away. [slashdot.org]

Re:

[mlts]

I wouldn't blame the IT staff. A lot of places have PHBs that feel that security has no ROI, so give token (at best) funding to security.

As it stands now, most companies will not suffer much even with a critical breach. PCI-DSS3 is only for the little guys, and HIPAA, SOX, FERPA, and other regs are lightly enforced if that. The people who suffer are end users, and that doesn't really matter.

Even with a good security staff in place, there is also the fact that you can't win a war with just defense. Ultim

Re:

[Anonymous Coward]

And, don't forget that the IT staff often have to allow a big, gaping hole in the firewall to allow the vendor(s) to update your POS software per contract.

Re:My shopping is becoming limited

[mlts]

Very true. I'm reminded of one vendor that as part of the contract got their own direct connect to company LANs in order to directly service/support their software. I always worried that all it took was some compromise on the vendor's side, and it was a big gaping hole that could be easily nailed. The vendor was pretty much protected (part of the software contract), so if they got hacked, it was pretty much game over.

I did stick in a firewall though. The vendor had unfettered access to their machines... but no unrelated boxes, and their machines were also sectioned off. However, it was like putting a bandaid on a bullet wound, because of all the things their software touched.

Point of sale systems are not rocket science. We had better quality of code when game companies made Playstation 1 CDs (as they could not be updated, so what was released was it.) It might just be time to return to that finished quality of code... but still have an update mechanism. An update mechanism that requires not just signed firmware, but someone physically pressing a button (so the software can't be remotely updated.)

Re:

[networkzombie]

As an IT security guy, I don't used my credit card at Target, Sears, Kmart, Walmart, Home Depot, or any of the large targets (no pun intended). I use cash at those places (and gas stations) because it is obvious they were employing on the cheap. Low paid employees+massive transactions=easy target. They are the low hanging fruit. I use my credit card at Newegg and my favorite small restaurant where I know the owner. At least if they get hacked I will get an apology. When I setup my customers/clients to

It's a Pin, Chip!

[rmdingler]

It's too bad someone hasn't come up with a way to make credit cards that cannot be compromised in this manner.

Re:

[ShanghaiBill]

How does that chip help when you are shopping online?

You insert it into a device attached to the USB on your computer. The chip is queried and authenticated in real time as you make your purchase. I have a bank account in China, and that is how it works there to do online transactions.

Re:

[Rich0]

Woud such a chip device ever be allowed to have Linux drivers, considering how hard everything is getting hacked today, even without their existance?

I don't know how Chip/PIN was actually implemented, but if the makers had half a brain there would be no reason not to make the drivers/protocols/etc completely open. There is no reason that the system should have to rely on the security of the POS terminal - the crypto happens on the smartcard and all the terminal should do is relay stuff between the bank and the card. In fact, I don't get why they don't just put the keypad on the card itself, making the PIN harder to steal, as well as the credential on

Re:

[ShanghaiBill]

I don't get why they don't just put the keypad on the card itself

In the near future, they will, because "the card" will be your cellphone.

Re:

[Rich0]

I don't get why they don't just put the keypad on the card itself

In the near future, they will, because "the card" will be your cellphone.

The problem with this is that it is actually not easy to ensure that the path between the TPM and the phone touchscreen isn't compromised. You can secure the credentials in the TPM, but the PIN is harder to secure when it is entered on a device intended for general-purpose computing.

Should retailers store credit card details?

[Midnight Thunder]

Beyond transactions, I wonder whether retailers should even be storing credit card information? Surely debating this problem to the credit card companies would be better? The only thing combines should be keep is maybe some sort of public key value for the credit card, which can only be unlocked with a user provide value. The private key would be in the hands of the credit card company to access your account.

I am thinking on the fly here, but the main gist is the less credit card details stored by non-cred

Re:

[Teresita]

In other news, people who actually have credit cards go to K-Mart...

Re:

[jtownatpunk.net]

I guess you missed the part where it's the payment systems that are being compromised in recent hacks. The way our credit/debit system works, the retailer must have your account information for as long as it takes to process the transaction. When it's the terminal where you swipe your card that's compromised and passing a copy of your data to thieves, what can you (the consumer) do?

I wrote up a description of a payment system which never gives account information to retailers a while back but can't find i

Re:

[tlhIngan]

I am thinking on the fly here, but the main gist is the less credit card details stored by non-credit card companies the better. These retailers could secure their systems better, but maybe they shouldn't be holding on to certain critical information either? We need to review what financial data is held in light of these issues.

In Europe you have a one time key for your online payments, that requires a special calculator looking device. Probably not the best solution, but not a terrible one either - it's ju

Pharmacy

[breman]

maybe they were going for the medical records, I heard that's big business these days.

Cash is king

[AndyKron]

That's why I use cash

Re:

[un1nsp1red]

Plus, it makes you look like a baller.

This is terrible

[Ghoser777]

That's 10 more people who have had their personal information compromised.

Protect yourself from crackers the easy way

[msobkow]

Keep a sub-$1 balance in your bank account. :P

Re:

[msobkow]

Not when you don't have overdraft protection.

Shady practices.

[Anonymous Coward]

Last I knew - K-Mart's parent corporation Sears, rolled all their "Sears" cards over to Citibank. When I started getting suprize charges from "Sears Home Health" and called the number on the back of the "Sears" card to complain/dispute the charges - they told me "This is Citibank - if you have a dispute - dispute it with the company who charged it". I was like "this is a Sears card - I got a charge from Sears - I am calling Sears". Turns out - sometime magically three different companies - none of whom want

Doubtful forensics and common sense

[ruir]

I wonder if they have been hacked for months wether their systems and forensics are reliable enough to say for sure any personal data is not at risk. I doubt a lot they have systems in places to be able to say that with a 100% security margin. As for the current hacked systems being hacked or/with malware, anyone with common sense should not use Windows to drive critical systems.

HACK ATTACK

[darkain]

Am I the only onw who thinks "Hack Attack" would be an awesome band name !?

K-mart sucks

[liquidghondi]

Dr. Bruner: Well, Raymond? Aren't you more comfortable in your favorite K-Mart clothes? Charlie: Tell him, Ray. Raymond: K-Mart sucks. Dr. Bruner: Oh, I see. Charlie: Hey, Ray: you just made a joke. Raymond: Yeah, a joke. Ha ha ha... ha.

Another day another major data breach...

[Marlin Schwanke]

I vote that we force these corporations to take data security and IT in general more seriously. First, cut off their online credit card processing. They can use the old mechanical card swipers for a while. Once they have seriously upgraded their systems, and been independently audited, they can go back online. Require them to submit to thorough systems audits and spot checks for 5 years or so. Perhaps corporate management will get the message that IT may not be a profit center but it is necessary to co

How do you hack a crank calculator

[RubberDogBone]

KMart is well known for having barely any IT infrastructure, and what they DO have doesn't work well. They are literally one step removed from only hand-crack adding machines.

How DO you hack that?

Yes this is a serious question. One of the key differences between Walmart and KMart was how each company approached IT back in the 80s when this stuff became affordable and powerful. Walmart embraced data and wrapped their whole process around it and still uses it quasi-magical ways to glean trends, predict sales, do reorders, and find efficiencies. They extract value from data just like they squeeze their suppliers.

KMart, on the other hand, looked at computers and laughed and went on laughing for years, not noticing as Walmart out flanked them and eventually drove them into the ground head first. KMart is barely alive now, because they spent decades not having any idea what was even in the stores or what was selling. They didn't know, didn't care, had no way to handle the data even if they had it, and generally treated IT like nothing more than office internet connections to surf Yahoo.

Baseline Magazine, I believe it was, did a stellar piece on Walmart vs. Kmart and how each handled IT as of about 10 years ago. KMart is not painted on a good light. It's actually amazing an organization as incompetent as KMart is even still in business. .They have never gotten it and still don't.

Walmart had them beat years before it happened, because Walmart knew all the data. They won the war in the server room. KMart never had a chance and didn't even fight back.

K-Mart Hacked

[Gruff 2005]

K-Mart knew their system was breached 1 month ago, and only now made it public. Don't shop there never will.