Welcome to DU! The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards. Join the community: Create a free account Support DU (and get rid of ads!): Become a Star Member All Forums Issue Forums Culture Forums Alliance Forums Region Forums Support Forums Help & Search

whereisjustice

(2,941 posts)
Wed Sep 10, 2014, 10:40 PM Sep 2014

In the name of profit Target and Home Depot refused to protect customers

This is criminal negligence. To anyone believing our salvation rests with the benevolence of corporations, go sit in the corner.

In the name of profit Target and Home Depot refused to protect customers; now customers' credit cards are stolen

In the wake of a stunning data breach at America's largest home improvement retail chain, The Home Depot, Inc. (HD), a stunning picture of negligence is slowly emerging. Both Home Depot and Target Corp. (TGT) -- whose registers were compromised last December -- appear to have fallen victim to a decade-old exploit of Windows XPe.

What's more, these losses -- which may total as many as 100 million customer credit and debit card numbers -- could have likely been prevented by simply paying to upgrade to a more modern Microsoft Corp. (MSFT) operating system, such as Windows 7 for Embedded Systems. But since Target, Home Depot, and others have refused to protect customers, customers are now paying the price. Banks are scrambling to try to control the damage of these massive intrusions perpetrated by hackers in Russia and Ukraine. But much damage is already done and will yet be done due to retailers' appalling technical negligence.

I. Windows XPe -- The OS Behind Retail's Credit Card Breaches

This week Brian Krebs, a top security research affiliated with The Washington Post, wrote in his blog Krebs on Security fresh details of a hack that potentially compromised millions of Americans' credit cards. Mr. Krebs had broken word of the hack last Tuesday, writing that it appeared to be the work of Russian hackers. Now he's offered up fresh details on the malware they used to siphon credit card numbers (CCNs) from checkouts of Home Depot.

The hack was first noticed sometime in the last month or two after bank fraud prevention specialists began to notice a reoccurring pattern of fraud, abuse that was correlated with customers who shopped at the retail giant.

Home Depot
In need of repairs: outdated softwae at America's largest home improvement retailer led to yet another loss of millions of customers' credit card numbers. [Image Source: Reuters]

The new report reveals that Home Depot's registers -- most of which are believed to still be running the aging point-of-sale versions of Windows XP or a derivative -- were infected with a kind of malware which was also installed on registers during the massive Dec. 2013 hack of Target.

To understand this malware, it's crucial to first understand its host -- a badly aging Microsoft operating system, that's behind the times security-wise, but still broadly used in the world of retail. The OS in question is a derivative of Windows XP, one of the most popular consumer OSes in history.

The version used by retailers is known as Windows XP Embedded (aka Windows XPe). It launched a month after the consumer version of the 14-year-old OS, in Nov. 2001.

According to Wikipedia, Home Depot was indeed using the original Windows XPe Service Pack 3 (SP3) on its point-of-sale (POS) devices (aka, registers in layman's terms). An article on Wikipedia reports that the chain uses the "Zune" theme, which was released in Nov. 2006 by Microsoft. The theme features dark grey windows tops and an orange Start Button, a departure from the standard green start button in Windows XP/XPe.

Target was also believed to be running the same aging OS -- Windows XPe SP3 -- on its PoS hardware. A Jan. 2003 press release from Microsoft rather ironically mentions both retailers in the same paragraph, indicating they adopted the OS late in 2002. It writes:

Retailers taking advantage of Microsoft .NET-enabled solutions include Rite Aid Corp. and Metro Cash & Carry, which are equipping retail stores with point-of-sale (POS) systems based on the Windows® XP Embedded operating system; Target Corp., which plans to deploy Windows XP Embedded in its Target and Mervyn's Stores; Best Buy Co. Inc. and 7-Eleven Inc., which are using Windows XP Tablet PC Edition in their corporate and store operations; and, most recently, Home Depot Inc., which has chosen to update its store point-of-sale terminals with Microsoft technologies because of their high degree of flexibility.

That sentence is painfully ironic today, as it ultimately reveals the root of one of the biggest successful cybercrime campaigns in recent history.


http://www.dailytech.com/Appalling+Negligence+DecadeOld+Windows+XPe+Holes+Led+to+Home+Depot+Hack/article36517.htm

h/t to PuppyBismark
6 replies = new reply since forum marked as read
Highlight: NoneDon't highlight anything 5 newestHighlight 5 most recent replies
In the name of profit Target and Home Depot refused to protect customers (Original Post) whereisjustice Sep 2014 OP
, blkmusclmachine Sep 2014 #1
K & R SunSeeker Sep 2014 #2
Any windows system is not the answer nakocal Sep 2014 #3
+1 n/t area51 Sep 2014 #4
and ms probably lobbied hard to get them to use xpe bananas Sep 2014 #5
I read that after Target's problem, gvstn Sep 2014 #6

nakocal

(528 posts)
3. Any windows system is not the answer
Wed Sep 10, 2014, 11:22 PM
Sep 2014

All windows operating systems are vulnerable. If you want a secure, robust system you need to use UNIX. All versions of Windows have so much unused garbage in them that they can be exploited.

bananas

(27,509 posts)
5. and ms probably lobbied hard to get them to use xpe
Thu Sep 11, 2014, 12:12 AM
Sep 2014

Microsoft should share the blame for aggressively marketing a defective product.

gvstn

(2,805 posts)
6. I read that after Target's problem,
Thu Sep 11, 2014, 01:51 AM
Sep 2014

It was recommended that other retailers check their logs each 24 hours for signs of fraud. Home Depot never implemented this security feature. They only checked it every few months which is why this went on so long. It was the banks/Visa/Mastercard network that saw a pattern and notified HD.

I'm still not sure who to blame. The big box stores may still be using XP for their registers which interact with card-readers that we all swipe. But banks still get about 30 cents for each debit transaction and Visa/Mastercard get about 2% per credit card transaction for processing fees.

It seems to me that banks and Visa/Mastercard should be on the hook for proper security. These days people swipe cards for even a one dollar purchase, which means your 70 cent candy bar cost $1.00 because there is a $.30 cent fee associated with it. The retailers expect that the card systems are safe because they pay at least $.30 per transaction but the banks/companies that process those transactions blame it on them using an old cash register system. Someone has to give on who is responsible. We all pay fees EVERYTIME we use a card whether we realize it or not. At this point going back to cash doesn't mean that retailers will remove the "hidden" cost of us using our debit/credit cards for far more purchases than actually necessary. My old rule for using a card was for a transaction of $50 dollars or more. Now, I use it for almost everything over $5. We all pay for my/our mindless using of cards when we could just pay cash instead.

Latest Discussions»General Discussion»In the name of profit Tar...