General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsIn the name of profit Target and Home Depot refused to protect customers
This is criminal negligence. To anyone believing our salvation rests with the benevolence of corporations, go sit in the corner.
In the wake of a stunning data breach at America's largest home improvement retail chain, The Home Depot, Inc. (HD), a stunning picture of negligence is slowly emerging. Both Home Depot and Target Corp. (TGT) -- whose registers were compromised last December -- appear to have fallen victim to a decade-old exploit of Windows XPe.
What's more, these losses -- which may total as many as 100 million customer credit and debit card numbers -- could have likely been prevented by simply paying to upgrade to a more modern Microsoft Corp. (MSFT) operating system, such as Windows 7 for Embedded Systems. But since Target, Home Depot, and others have refused to protect customers, customers are now paying the price. Banks are scrambling to try to control the damage of these massive intrusions perpetrated by hackers in Russia and Ukraine. But much damage is already done and will yet be done due to retailers' appalling technical negligence.
I. Windows XPe -- The OS Behind Retail's Credit Card Breaches
This week Brian Krebs, a top security research affiliated with The Washington Post, wrote in his blog Krebs on Security fresh details of a hack that potentially compromised millions of Americans' credit cards. Mr. Krebs had broken word of the hack last Tuesday, writing that it appeared to be the work of Russian hackers. Now he's offered up fresh details on the malware they used to siphon credit card numbers (CCNs) from checkouts of Home Depot.
The hack was first noticed sometime in the last month or two after bank fraud prevention specialists began to notice a reoccurring pattern of fraud, abuse that was correlated with customers who shopped at the retail giant.
Home Depot
In need of repairs: outdated softwae at America's largest home improvement retailer led to yet another loss of millions of customers' credit card numbers. [Image Source: Reuters]
The new report reveals that Home Depot's registers -- most of which are believed to still be running the aging point-of-sale versions of Windows XP or a derivative -- were infected with a kind of malware which was also installed on registers during the massive Dec. 2013 hack of Target.
To understand this malware, it's crucial to first understand its host -- a badly aging Microsoft operating system, that's behind the times security-wise, but still broadly used in the world of retail. The OS in question is a derivative of Windows XP, one of the most popular consumer OSes in history.
The version used by retailers is known as Windows XP Embedded (aka Windows XPe). It launched a month after the consumer version of the 14-year-old OS, in Nov. 2001.
According to Wikipedia, Home Depot was indeed using the original Windows XPe Service Pack 3 (SP3) on its point-of-sale (POS) devices (aka, registers in layman's terms). An article on Wikipedia reports that the chain uses the "Zune" theme, which was released in Nov. 2006 by Microsoft. The theme features dark grey windows tops and an orange Start Button, a departure from the standard green start button in Windows XP/XPe.
Target was also believed to be running the same aging OS -- Windows XPe SP3 -- on its PoS hardware. A Jan. 2003 press release from Microsoft rather ironically mentions both retailers in the same paragraph, indicating they adopted the OS late in 2002. It writes:
Retailers taking advantage of Microsoft .NET-enabled solutions include Rite Aid Corp. and Metro Cash & Carry, which are equipping retail stores with point-of-sale (POS) systems based on the Windows® XP Embedded operating system; Target Corp., which plans to deploy Windows XP Embedded in its Target and Mervyn's Stores; Best Buy Co. Inc. and 7-Eleven Inc., which are using Windows XP Tablet PC Edition in their corporate and store operations; and, most recently, Home Depot Inc., which has chosen to update its store point-of-sale terminals with Microsoft technologies because of their high degree of flexibility.
That sentence is painfully ironic today, as it ultimately reveals the root of one of the biggest successful cybercrime campaigns in recent history.
http://www.dailytech.com/Appalling+Negligence+DecadeOld+Windows+XPe+Holes+Led+to+Home+Depot+Hack/article36517.htm
h/t to PuppyBismark
blkmusclmachine
(16,149 posts)SunSeeker
(51,378 posts)nakocal
(528 posts)All windows operating systems are vulnerable. If you want a secure, robust system you need to use UNIX. All versions of Windows have so much unused garbage in them that they can be exploited.
bananas
(27,509 posts)Microsoft should share the blame for aggressively marketing a defective product.
gvstn
(2,805 posts)It was recommended that other retailers check their logs each 24 hours for signs of fraud. Home Depot never implemented this security feature. They only checked it every few months which is why this went on so long. It was the banks/Visa/Mastercard network that saw a pattern and notified HD.
I'm still not sure who to blame. The big box stores may still be using XP for their registers which interact with card-readers that we all swipe. But banks still get about 30 cents for each debit transaction and Visa/Mastercard get about 2% per credit card transaction for processing fees.
It seems to me that banks and Visa/Mastercard should be on the hook for proper security. These days people swipe cards for even a one dollar purchase, which means your 70 cent candy bar cost $1.00 because there is a $.30 cent fee associated with it. The retailers expect that the card systems are safe because they pay at least $.30 per transaction but the banks/companies that process those transactions blame it on them using an old cash register system. Someone has to give on who is responsible. We all pay fees EVERYTIME we use a card whether we realize it or not. At this point going back to cash doesn't mean that retailers will remove the "hidden" cost of us using our debit/credit cards for far more purchases than actually necessary. My old rule for using a card was for a transaction of $50 dollars or more. Now, I use it for almost everything over $5. We all pay for my/our mindless using of cards when we could just pay cash instead.