The report that explains how Target’s credit card systems were hacked contains this chilling sentence: “At the time of discovery, the malware had zero percent detection rate, which means fully updated antivirus engines on fully patched computers could not ID the malware.” It was posted online by The Wall Street Journal (PDF).
Let me translate: There was no way to stop the hackers. It’s beginning to sound like they might as well have stolen a printing press from the U.S. Mint.
The question that’s hanging in the air now is this: Where does it stop? The software, loaded with powerful new techniques for scraping, collecting, and transmitting credit cards from retail stores, was made available for sale to credit card hacker groups. It works so well, it’d be stupid to think it hasn’t spread, like a virus, to plenty of U.S. retailers. Whatever hacker group attacked Target attacked other retailers. Other hacker groups bought the malware and used it for their own attacks.
Earlier this week, I reported that credit card hackers had access to Neiman Marcus credit card systems for longer than three months. Excellent reporting by Reuters now reveals that six more retailers have been warned their systems might have been infected.
The malicious software, sold as “Trojan.POSRAM,” is particularly crafty because it exploits a fundamental weakness in the way the credit card encryption works. Even if a retailer does everything right, and spends the money to encrypt account numbers whenever they are at rest, there is still a moment when the scrambled data must be unscrambled for processing. Just as encrypted data is useless to hackers, it’s useless for computations, too – it must be unscrambled to be authenticated. POSRAM grabs the data during the instant it’s unprotected, when it’s in RAM, for processing.
iSight’s report on the malware, furnished to the Secret Service and posted by the Wall Street Journal, makes clear that the technique isn’t exactly brand new — it’s been used in Brazil at least as far back as 2009, and in Eastern Europe, too. But it was new enough to retailers in the U.S. The question now is: How many of them have found the now-infamous winxml.dll file that’s hiding on their systems, gathering up our credit card numbers? And how many will be ultimately hear about?
Meanwhile, as I’ve suspected all along, there’s good reason to believe that the Target hack may have even impacted non-Target shoppers. Net users are telling Consumerist.com that they’re getting e-mails from Target with offers of free credit monitoring, even though they’ve never shopped at Target or Target.com. That means Target got the victims’ email addresses some other way — through a partnership, or by purchasing the data from a marketing company. Target isn’t yet saying.
It all means that the initial comforting caveat that as long as you didn’t shop at Target between Nov. 27-Dec. 15, you didn’t have anything to worry about — well, we’re very far from that now. Before we’re done, this attack might touch half the households in America. Or more. It’s a pretty good idea to take Target up on its offer of free credit monitoring. Here’s how.