Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Security

Kmart Says Its Payment System Was Hacked 101

wiredmikey writes Kmart is the latest large U.S. retailer to experience a breach of its payment systems, joining a fast growing club dealing successful hack attacks. The company said that on Thursday, Oct. 9, its IT team detected that its payment data systems had been breached, and that debit and credit card numbers appear to have been compromised. A company spokesperson told SecurityWeek that they are not able to provide a figure on the number of customers impacted. The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers.
This discussion has been archived. No new comments can be posted.

Kmart Says Its Payment System Was Hacked

Comments Filter:
  • by Spy Handler ( 822350 ) on Friday October 10, 2014 @07:09PM (#48116803) Homepage Journal

    why would Kmart even have your social security number?

    • by MasterOfGoingFaster ( 922862 ) on Friday October 10, 2014 @07:21PM (#48116883) Homepage

      why would Kmart even have your social security number?

      Uh... Employees?

    • by Anonymous Coward

      Kmart credit cards?

    • FTFA "The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers."
      • by Anonymous Coward

        FTFA "The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers."

        Must be trure, if a spokesperson said it was.

    • Most stores these days have their own store credit cards. To apply for them you give them your SS#.

    • why would Kmart even have your social security number?

      Because they ask for it to look up your Sears credit card if you don't have it with you. Yes it is stupid

    • If you even go in to buy a candy bar they will ask you to apply for a credit card at the register. Even if you are eleven years old (happened to my daughter last week). Then they give you seven feet of receipt material with coupons, surveys, and a copy of the Magna Carta.

      They are so going out of business. I would be short on the stock.

  • by BUL2294 ( 1081735 ) on Friday October 10, 2014 @07:13PM (#48116827)
    ...nobody.
    • by Anonymous Coward

      So this affects nobody.

      Not quite. I have elderly relatives that live in a rural area that, for some reason, only has a K-Mart. No Target, no Wal-Mart, and very little by way of decent local shopping. The closest Wal-Mart is almost an hour's drive away, and Target is closer to two, so if you live there and want something that isn't groceries, you basically have no choice but to go to K-Mart. (As you might expect, it's a piss-poor example of a store, because there's absolutely no reason to care. It's not like the shoppers have

  • by Coditor ( 2849497 ) on Friday October 10, 2014 @07:15PM (#48116839)
    to list who hasn't been hacked yet. I wonder if these big companies buy their security systems at K-Mart.
    • by raymorris ( 2726007 ) on Saturday October 11, 2014 @01:09AM (#48118223) Journal

      I almost mentioned the name of my company as the one that hasn't been hacked. We take security very seriously. No Microsoft products are allowed on the premises, employees are armed, etc.

      Then I realized posting that could make us a Target.

      • I almost mentioned the name of my company as the one that hasn't been hacked. We take security very seriously. No Microsoft products are allowed on the premises, employees are armed, etc.

        Then I realized posting that could make us a Target.

        Well played, sir. Well played.

  • by jpellino ( 202698 ) on Friday October 10, 2014 @07:22PM (#48116891)
    in the dozens of dollars.
  • by manu0601 ( 2221348 ) on Friday October 10, 2014 @07:30PM (#48116925)
  • by turkeydance ( 1266624 ) on Friday October 10, 2014 @07:43PM (#48116989)
    if your company hasn't been hacked...well, that sucks for you.
  • by mlts ( 1038732 ) on Friday October 10, 2014 @07:47PM (#48117003)

    Sears, last time I checked was a definite IBM AIX shop with the point of sale terminals being a tad more than IBM 3151 VTs, except with a credit scanner and cash drawer. Is K-Mart on a different system, or do both Sears and K-Mart use the same POS these days?

    Malware on Windows is one thing... nailing AIX systems actually would be an accomplishment.

    • Kmart has newer registers but the screen where you swipe credit cards looks like OS/2 or Win 3.1 judging by the hourglass displayed.

    • Re: (Score:3, Interesting)

      by execthis ( 537150 )

      Based on what the article says about what happened - that it was actual POS malware - I still am not able to figure out a methodology that would enable such an attack to work.

      Let's say someone manages to put malware on a POS device. Ok. But now how would that malware be able to communicate any information to the thieves? I cannot imagine that the POS device is just sitting on the 'net without a strict firewall in front of it allowing it access to one - and only one - address: that of the company that pro

      • by plover ( 150551 )

        While it's possible (unlikely in these days of PCI) that a POS register could have a direct route to the internet, it's also likely that the registers weren't the only machines in their system that were hacked. It is probable that the criminals found a little-used server in K-Mart's HQ systems, compromised it, and set up what's called a "dump site." The registers are then configured to exfiltrate their data to this internal HQ server, perhaps by periodic FTP, and the hackers had the HQ server send batches

        • I was thinking that the only possibilities for the theft to happen would have to be either a) there's an administrative access to the POS systems which was breached, kind of similar to what you are saying; or b) there's some manipulation of the physical infrastructre at (a) store(s) in addition to POS malware. For example some malicious host could be inserted in the pathway of communication of the POS systems. My guess is that that isn't too likely.

          More likely is something like a), or what you suggest. T

  • by Anonymous Coward

    As an IT security guy, I really find all these cracks disheartening. I guess the IT staff at these places don't really understand that security is a process, not a product. You cannot throw up a router with some ACLs and firewall or two and expect to be secure. Neither can you not make constant audits of your backend payment systems and expect security.

    I've already stopped shopping at Target permanently because of their debacle. I stopped shopping at Walmart this week due to their cancelling health benefits

    • Can't you pay with regular, non-computerized cash?

    • by mlts ( 1038732 )

      I wouldn't blame the IT staff. A lot of places have PHBs that feel that security has no ROI, so give token (at best) funding to security.

      As it stands now, most companies will not suffer much even with a critical breach. PCI-DSS3 is only for the little guys, and HIPAA, SOX, FERPA, and other regs are lightly enforced if that. The people who suffer are end users, and that doesn't really matter.

      Even with a good security staff in place, there is also the fact that you can't win a war with just defense. Ultim

      • by Anonymous Coward

        And, don't forget that the IT staff often have to allow a big, gaping hole in the firewall to allow the vendor(s) to update your POS software per contract.

        • by mlts ( 1038732 ) on Friday October 10, 2014 @11:10PM (#48117913)

          Very true. I'm reminded of one vendor that as part of the contract got their own direct connect to company LANs in order to directly service/support their software. I always worried that all it took was some compromise on the vendor's side, and it was a big gaping hole that could be easily nailed. The vendor was pretty much protected (part of the software contract), so if they got hacked, it was pretty much game over.

          I did stick in a firewall though. The vendor had unfettered access to their machines... but no unrelated boxes, and their machines were also sectioned off. However, it was like putting a bandaid on a bullet wound, because of all the things their software touched.

          Point of sale systems are not rocket science. We had better quality of code when game companies made Playstation 1 CDs (as they could not be updated, so what was released was it.) It might just be time to return to that finished quality of code... but still have an update mechanism. An update mechanism that requires not just signed firmware, but someone physically pressing a button (so the software can't be remotely updated.)

    • As an IT security guy, I don't used my credit card at Target, Sears, Kmart, Walmart, Home Depot, or any of the large targets (no pun intended). I use cash at those places (and gas stations) because it is obvious they were employing on the cheap. Low paid employees+massive transactions=easy target. They are the low hanging fruit. I use my credit card at Newegg and my favorite small restaurant where I know the owner. At least if they get hacked I will get an apology. When I setup my customers/clients to
  • It's too bad someone hasn't come up with a way to make credit cards that cannot be compromised in this manner.
  • Beyond transactions, I wonder whether retailers should even be storing credit card information? Surely debating this problem to the credit card companies would be better? The only thing combines should be keep is maybe some sort of public key value for the credit card, which can only be unlocked with a user provide value. The private key would be in the hands of the credit card company to access your account.

    I am thinking on the fly here, but the main gist is the less credit card details stored by non-cred

    • I guess you missed the part where it's the payment systems that are being compromised in recent hacks. The way our credit/debit system works, the retailer must have your account information for as long as it takes to process the transaction. When it's the terminal where you swipe your card that's compromised and passing a copy of your data to thieves, what can you (the consumer) do?

      I wrote up a description of a payment system which never gives account information to retailers a while back but can't find i

    • by tlhIngan ( 30335 )

      I am thinking on the fly here, but the main gist is the less credit card details stored by non-credit card companies the better. These retailers could secure their systems better, but maybe they shouldn't be holding on to certain critical information either? We need to review what financial data is held in light of these issues.

      In Europe you have a one time key for your online payments, that requires a special calculator looking device. Probably not the best solution, but not a terrible one either - it's ju

  • maybe they were going for the medical records, I heard that's big business these days.
  • That's why I use cash
  • by Ghoser777 ( 113623 ) <fahrenba@ma c . com> on Friday October 10, 2014 @08:51PM (#48117357) Homepage

    That's 10 more people who have had their personal information compromised.

  • Keep a sub-$1 balance in your bank account. :P

  • by Anonymous Coward

    Last I knew - K-Mart's parent corporation Sears, rolled all their "Sears" cards over to Citibank. When I started getting suprize charges from "Sears Home Health" and called the number on the back of the "Sears" card to complain/dispute the charges - they told me "This is Citibank - if you have a dispute - dispute it with the company who charged it". I was like "this is a Sears card - I got a charge from Sears - I am calling Sears". Turns out - sometime magically three different companies - none of whom want

  • I wonder if they have been hacked for months wether their systems and forensics are reliable enough to say for sure any personal data is not at risk. I doubt a lot they have systems in places to be able to say that with a 100% security margin. As for the current hacked systems being hacked or/with malware, anyone with common sense should not use Windows to drive critical systems.
  • Am I the only onw who thinks "Hack Attack" would be an awesome band name !?

  • Dr. Bruner: Well, Raymond? Aren't you more comfortable in your favorite K-Mart clothes? Charlie: Tell him, Ray. Raymond: K-Mart sucks. Dr. Bruner: Oh, I see. Charlie: Hey, Ray: you just made a joke. Raymond: Yeah, a joke. Ha ha ha... ha.
  • I vote that we force these corporations to take data security and IT in general more seriously. First, cut off their online credit card processing. They can use the old mechanical card swipers for a while. Once they have seriously upgraded their systems, and been independently audited, they can go back online. Require them to submit to thorough systems audits and spot checks for 5 years or so. Perhaps corporate management will get the message that IT may not be a profit center but it is necessary to co
  • by RubberDogBone ( 851604 ) on Saturday October 11, 2014 @04:01PM (#48120875)

    KMart is well known for having barely any IT infrastructure, and what they DO have doesn't work well. They are literally one step removed from only hand-crack adding machines.

    How DO you hack that?

    Yes this is a serious question. One of the key differences between Walmart and KMart was how each company approached IT back in the 80s when this stuff became affordable and powerful. Walmart embraced data and wrapped their whole process around it and still uses it quasi-magical ways to glean trends, predict sales, do reorders, and find efficiencies. They extract value from data just like they squeeze their suppliers.

    KMart, on the other hand, looked at computers and laughed and went on laughing for years, not noticing as Walmart out flanked them and eventually drove them into the ground head first. KMart is barely alive now, because they spent decades not having any idea what was even in the stores or what was selling. They didn't know, didn't care, had no way to handle the data even if they had it, and generally treated IT like nothing more than office internet connections to surf Yahoo.

    Baseline Magazine, I believe it was, did a stellar piece on Walmart vs. Kmart and how each handled IT as of about 10 years ago. KMart is not painted on a good light. It's actually amazing an organization as incompetent as KMart is even still in business. .They have never gotten it and still don't.

    Walmart had them beat years before it happened, because Walmart knew all the data. They won the war in the server room. KMart never had a chance and didn't even fight back.

  • K-Mart knew their system was breached 1 month ago, and only now made it public. Don't shop there never will.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...