Target credit card hack: Things are a lot worse than the last time we told you they were worse than we thought

WSJ.COM posted the iSight report (click to see it - PDF)
WSJ.COM posted the iSight report. This is a section of code allegedly from the malware.

The report that explains how Target’s credit card systems were hacked contains this chilling sentence: “At the time of discovery, the malware had zero percent detection rate, which means fully updated antivirus engines on fully patched computers could not ID the malware.” It was posted online by The Wall Street Journal (PDF).

Let me translate: There was no way to stop the hackers.  It’s beginning to sound like they might as well have stolen a printing press from the U.S. Mint.

The question that’s hanging in the air now is this: Where does it stop?  The software, loaded with powerful new techniques for scraping, collecting, and transmitting credit cards from retail stores, was made available for sale to credit card hacker groups. It works so well, it’d be stupid to think it hasn’t spread, like a virus, to plenty of U.S. retailers.  Whatever hacker group attacked Target attacked other retailers.  Other hacker groups bought the malware and used it for their own attacks.

Earlier this week, I reported that credit card hackers had access to Neiman Marcus credit card systems for longer than three months. Excellent reporting by Reuters now reveals that six more retailers have been warned their systems might have been infected.

The malicious software, sold as “Trojan.POSRAM,” is particularly crafty because it exploits a fundamental weakness in the way the credit card encryption works. Even if a retailer does everything right, and spends the money to encrypt account numbers whenever they are at rest, there is still a moment when the scrambled data must be unscrambled for processing.  Just as encrypted data is useless to hackers, it’s useless for computations, too – it must be unscrambled to be authenticated. POSRAM grabs the data during the instant it’s unprotected, when it’s in RAM, for processing.

iSight’s report on the malware, furnished to the Secret Service and posted by the Wall Street Journal, makes clear that the technique isn’t exactly brand new — it’s been used in Brazil at least as far back as 2009, and in Eastern Europe, too.  But it was new enough to retailers in the U.S. The question now is: How many of them have found the now-infamous winxml.dll file that’s hiding on their systems, gathering up our credit card numbers? And how many will be ultimately hear about?

Meanwhile, as I’ve suspected all along, there’s good reason to believe that the Target hack may have even impacted non-Target shoppers.  Net users are telling that they’re getting e-mails from Target with offers of free credit monitoring, even though they’ve never shopped at Target or  That means Target got the victims’ email addresses some other way — through a partnership, or by purchasing the data from a marketing company. Target isn’t yet saying.

It all means that the initial comforting caveat that as long as you didn’t shop at Target between Nov. 27-Dec. 15, you didn’t have anything to worry about — well, we’re very far from that now.  Before we’re done, this attack might touch half the households in America. Or more.  It’s a pretty good idea to take Target up on its offer of free credit monitoring. Here’s how. 

Sign up for Bob Sullivan’s newsletter. 



About Bob Sullivan 1211 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

Be the first to comment

Leave a Reply

Your email address will not be published.