Russian teen accused of writing Target malware

The Target data breach which has left tens of millions of payment cards compromised was carried out using off-the-shelf malware authored by a 17 year old Russian, according to security firm IntelCrawler.

4 comments

Russian teen accused of writing Target malware

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

Officials believe that the Target breach - which saw crooks steal the details of around 40 million customer cards and the personal information of 70 million - was just one of several attacks carried out over the holiday period.

Neiman Marcus Group says that it has also been hacked but a report authored by government agencies and security firm iSight Partners suggests that several other firms could have been hit.

The report has been sent out to retailers and banks warning them about what appears to be a concerted and sophisticated campaign and says that the malware used was partly written in Russian and that some of it had been on the black market since last spring.

IntelCrawler claims that this code is the BlackPOS malware, developed by a teenager going by the name of 'ree4' who has roots in St Petersburg. It has been widely sold on underground forums in Eastern Europe over the last few months and used in attacks in Australia, Canada and the US.

Sponsored [New Survey Report] The Global Fight Against Trade-Based Financial Crime

Related Company

Keywords

Comments: (4)

A Finextra member 

Ah, those teenagers... They should be taught about PCI DSS, importance of security and firewalls. And HCE...

Or is it the other way round?..

A Finextra member 

I think the payments industry (especially when it comes to mobile payments, especially when it comes to Android...) should take a close look at Target breach and give it a deep thought.

And then re-call history of the mobile industry - operators suffered from various security breaches, until SIM cards (aka SE) were introduced... It is EXTREMELY (!) difficult to defraud mobile operators these days. Why? Because their architecture is sound and solid.

In particular, the key authentication and security protocols used by the mobile industry are concise and covered on 20-50 pages. Compare that to 800+ pages of EMV specs (and add another hundreds of pages that EMVCo is now working on in respect of tokenisation...)

A Finextra member 

I am sure that many tools NSA uses were written by Russians as well. Who originally wrote the software should not really matter. The 'Russian teenager' made his buck by selling the malware to the people who committed the data breach. That is where probably 'Russian connection' ends. James Bond conspiracy won't help payment industry in the US Who planted it inside the POS terminals, and why Target and its Acquirer processor did not detect the breach in the first place are the main questions. Don't they check the POS software stack digital signature? What about PCI DSS? Is it useless in preventing these kinds of most likely insider type attacks? EMV + end to end unique per txn PAN tokenization (transparent to the merchant, acquirer) is the best deterrence mechanism against credit card collection and usage in online channel. Make the txn info useless to anybody except card issuer and that solves this.

A Finextra member 

Here's the thing: It doesn't need to happen again, and here's how to do it.
1. The credit card companies need to wipe everything but the UserID (and, possibly, the company ID) from the card.
2. They then install a fraudproof user authentication system. (A tolerably good description of such a system is at www.designsim.com.au/What_is_SteelPlatez.ppsx).
3.   The customer and retailer both have accounts on the authentication system.
4.    When the customer needs to make a purchase, or checkout at the POS terminal, he either selects his credit card from a menu, or swipes the card, to identify himself and the card company.
5.   This action connects the customer to the authentication system belonging to the appropriate credit card company, passing his user ID and details of the purchase. This includes the retailer's User ID.
6. The credit card company already knows the user's card number, so if his User ID has  been authenticated, it accesses the credit card details as it would do under the current system.
7. It then checks for a match with the retailer's submission.
8. If there's a match, it performs the usual checks for limits, expiry etc, issues an approval (or not), pays the retailer etc.
Simple.

[Webinar] SaaS savvy: Preparing for embedded and data driven bank paymentsFinextra Promoted[Webinar] SaaS savvy: Preparing for embedded and data driven bank payments