In a paper released today (click for PDF), Neal Krawetz of Hacker Factor Solutions looks at the probable causes behind recent large-scale data thefts at TJX, OfficeMax and other retail stores. He concludes that "point-of-sale terminals and branch servers store credit card information in ways that are no longer secure enough."
Although Krawetz's paper doesn't reveal any new exploits against point-of-sale (POS) systems, he does fault practices still being used by various vendors. In an e-mail to CNET News.com, Krawetz wrote: "I believe that the vulnerabilities behind the January 2006 compromise of a Fujitsu Transaction Solutions national branch server were not limited to OfficeMax. The exploits could have happened to any vendor's system (IBM, NCR, Wincor Nixdorf, etc.) and not just FTS. It also could have happened to any retailer." Attempts by News.com to contact Fujitsu were unsuccessful.
Krawetz says that retail POS systems typically include a card reader, a transaction unit and a branch server. He says that the traffic between the retailer and the credit card companies is secure. The transaction often takes place at the cash register with the customer standing by.
Krawetz says there are vulnerabilities in the password system of the individual transaction units that have been known since 1992, but exploitation requires physical access. POS systems are often in highly visible parts of a store, and short of someone stealing the transaction unit itself, the theft risk here is low. In 2005, Verifone addressed some of these vulnerabilities by issuing a new V* series transaction unit, retiring the older Tranz model.
Branch servers are the targets of sophisticated attacks and Krawetz says it's the communication between the cash register and the branch server that is not secure. Branch servers often collect data from individual cash registers and may store the data locally, regionally or nationally. Sometimes the data from cash register to branch server is transmitted wirelessly over unencrypted networks.
In 2005, Paul Timmins, Adam Botbyl and Brian Salcedo were sentenced for wardriving cash register data being transmitted to a branch server from a Michigan Home Depot.
In today's report, Krawetz argues that large, national stores use coded receipts not for security but to allow returns and exchanges at any store. That means there must be large a national database from which the store pulls back the original credit card data. So if that national store allows 90-day returns and, Krawetz speculates, if each store handles 2,000 transactions a day and there are 1,300 stores nationwide, that's more than 235,000,000 cards that need to be stored. Krawetz admits that some customers will return during that 90-day period, so assuming there's 75 percent customer loyalty, that's still about 54 million credit cards being stored in a branch server somewhere. That number roughly matches the 45 million credit cards stolen from TJX over a two-year period.
He concludes that retail POS systems have not kept up with technological advancements and seem to be trailing security practices elsewhere by at least a decade. "Why did 'change default passwords' not become standard until 2004? We knew about this for system administration back in 1994."