back to article Shopped in Forever 21? There was bank-card-slurping malware in it for, like, forever

Clothing chain Forever 21 has admitted a malware infection on its cash registers swiped customer payment card details for most of last year. The retailer issued a statement revealing that from how last year, from April 3 to November 18, hackers were able to harvest the payment card details from point of sale (POS) terminals in …

  1. a_yank_lurker

    Question

    How are the miscreant infecting POS systems? I ask out of my own ignorance.

    I know the Target hack was because of poor internal system design that allowed a hacker coming in one a vendor login to reach the POS system.

    1. Phil Kingston

      Re: Question

      Any number of ways from physical access to a terminal, back office server, head office PC, plugging their own lappy into a live LAN socket in store (or weakly password-protected in-store Wi-Fi), infected website payload downloaded on the back office PC by staff at lunchtime etc

      Mix together electronic payment processing and (often, but not necessarily in this case) elderly POS terminals running embedded/outdated/ne'er patched OSes and it's not long until something stinky cooks up.

      1. Frank Bitterlich
        WTF?

        Re: Question

        Any number of ways from physical access to a terminal, back office server, head office PC, [...]

        Not sure why you got downvoted for this – accurate answer to the question.

        A few more questions pop up in my mind, though:

        - Are there any penalties (fines) for losing card data (other than the risk of getting sued for damages by the victims, which AFAIK rarely succeeds unless you have actually lost money and have proof)?

        - Is there any progress (or even intention) to move towards chip-based cards in the US to limit at least card-copying attacks?

        - Isn't encryption mandatory by PCI DSS? What are the consequences for them if they "forgot" to turn it on?

        1. Lee D Silver badge

          Re: Question

          Why were they downvoted?

          "physical access to a terminal" - okay, fair enough.

          "back office server" - storing plain-text credit card records? Strike one.

          "head office PC" - storing plain-text credit card records? Strike two.

          "plugging their own lappy into a live LAN socket in store"? No VLAN? No traffic encryption? No port-isolation? Strike three.

          " (or weakly password-protected in-store Wi-Fi)" Strike four.

          "infected website payload downloaded on the back office PC by staff at lunchtime etc" (See above)

          None of those but literally access to a terminal should mean compromise. And even that means compromise of the terminal, no compromise of the entire system. Anything else is not only poorly-designed but not PCI-DSS compliant at all.

          NOBODY - at any kind of office or otherwise - should be able to see the plain-text credit card data on their PC. From merchants to a central secured network with full encryption, which then submits to the bank over a similar encrypted channel, sure. But nobody should be using the credit card data itself (sales records and APPROVED/REFUSED are another matter entirely and should be on an entirely different system) at all except the bank. Hell, most of the retail-store systems you see just talk straight out to the bank over secured channels that the company has no control over.

          That you can put ANYTHING on a POS network and have it sniff traffic, or compromise other ports, or do anything but talk over an encrypted channel to a bank is ridiculous. And certainly there should be no bog-standard office PC which has access to that data, even in theory for a large retail chain. Maybe a mom-and-pop shop, but they talk to the bank direct and the attack vectors are elsewhere in that case.

          Honestly... just shouldn't be happening. And certainly shouldn't be CLOSE to a network that allows any kind of software update / attack / compromise of the system by a third-party. Their bank will have their ass on their PCI-DSS disclosures if that's even possible.

          1. John Brown (no body) Silver badge

            Re: Question

            "Strike one....Strike four."

            Well, yes, those don't have the card details or direct access to them, but they are legitimate ways into a company system. It doesn't matter how a miscreant gets in, but once they are inside, most bets are off. Internal security is usually much lower priority than external security.

        2. John Brown (no body) Silver badge

          Re: Question

          "- Isn't encryption mandatory by PCI DSS? What are the consequences for them if they "forgot" to turn it on?"

          If your PCI costs are a rounding error then you get cut off from the system until you pay for re-compliance and then get monitored and re-certified more frequently (at your own cost). If your PCI compliance payments and transactions costs are noticeable to the c-suite bonus grabbers, then you get a slap on the wrist and told not to be a naughty boy again.

    2. Anonymous Coward
      Anonymous Coward

      Re: Question

      Since taking over the POS software requires some knowledge of the hardware and software in question (so as to know just where to hack), odds are they're inside jobs conducted by contracted tecnicos or the like sent to service the machines or other back office stuff in the system.

    3. Adam 52 Silver badge

      Re: Question

      "How are the miscreant infecting POS systems?"

      They don't appear to know. The press releases are on the Forever 21 website. Somebody told them there was an issue, they hired a security firm who found evidence of malware but they aren't telling us what.

    4. enormous c word
      Big Brother

      Re: Question

      Every card transaction is a potential exposure - and the banks want us to go contactless so they can cream off a percentage for every transaction - there'll be so many transactions on your statement nobody will ever be able to identify what is legit from fraud. Join me in the cash revolution and you too can avoid credit card fraud...

      1. 2Nick3

        Re: Question

        "Join me in the cash revolution and you too can avoid credit card fraud..."

        I was thinking along the same lines, but then you get cashiers making change, and sometimes that is very entertaining/frustrating, depending on your mood.

        A few weeks back I was due 77 cents in change on a purchase. The cashier pulled ten dimes, a nickel and two pennies. I asked her if I could get the three quarters (that bin was full in the cash drawer) and two pennies instead, and I could tell by the blank look on her face she wasn't able to compute that as the same value. Or the kid who told me two quarters was worth 30 cents "because two quarters in football is 30 minutes."

  2. sanmigueelbeer
    FAIL

    There's one born every minute ...

    Big business simply don't learn, eh?

    1. Doctor Syntax Silver badge

      Re: There's one born every minute ...

      "Big business simply don't learn, eh?"

      We're important. We don't need to learn.

  3. jake Silver badge

    Sad thing is ...

    ... the type of people who shop at such stores are used to getting ripped off at the retail level, and will probably not notice the fraudulent transactions.

  4. Terry 6 Silver badge

    Still a bit of click bait here

    The small print by-line was "By Shaun Nichols in San Francisco"

    Otherwise you have to read half of the story to realise that this is only in its American stores!

    That could just be an American reporter who forgets the USA isn't the whole world, of course.

    Still interesting, as a story. But not the same as reading that it happened in the UK/Worldwide for the non-Americans among us.

    1. katrinab Silver badge

      Re: Still a bit of click bait here

      Indeed, because I have shopped in Forever 21, though it was in mid December, and in the UK. Amex had, (and still have) a 5% cashback offer which I used.

  5. Anonymous Coward
    Anonymous Coward

    Are they *still* PCI-compliant?

    Because a quick search shows that it's not the first time this happens to them, and back then, almost 10 years ago, they were already PCI-compliant (which mandate that all credit card information MUST be encrypted):

    I'd very much like to know the current state of their PCI compliance, and who audited them.

    https://www.scmagazine.com/was-forever-21-wrongly-certified-pci-compliant/article/554996/

    1. Anonymous Coward
      Facepalm

      Re: Are they *still* PCI-compliant?

      "I'd very much like to know the current state of their PCI compliance, and who audited them."

      The same people that provided security for Equifax?

  6. Anonymous Coward
    Terminator

    POS malware infected appliances

    From the lack of any actual details, no need to guess as to the make of the appliances that stored the transaction logs and the malware was most probably inserted through an 'infected' email attachment.

  7. ToadOfToadHall

    What data are we talking about?

    Be interesting to know exactly what the fraudsters got hold of, and what they tried to do with it...

    There wouldn't have been PINs presumably (although these are sometimes used for US debit cards), so no cashing out at ATMs. Supposedly no cardholder names (so presumably no addresses either), so I'm guessing we're just talking about images of Track 2 data from cards. So probably just a matter of making counterfeit (mag stripe) cards and buying stuff. But this won't work for transactions that were originally chip.

    I doubt you can do much fraud these days with just an account number and an expiry date... Well, except maybe by creating an account on Amazon and then buying whatever you want!

    1. Charles 9

      Re: What data are we talking about?

      AFAIK, to use a card on Amazon or any other CNP site, you need to input the CVV number on the back of the card (NOT on the Chip or magstripe) at least once.

      1. katrinab Silver badge

        Re: What data are we talking about?

        Amazon doesn't require a CVV number. I have no idea how they get away with that.

        1. Rob Daglish

          Re: What data are we talking about?

          I think it's because they agree to take the hit if the transaction is later declared fraudulent. I'm sure I remember reading about it somewhere...

  8. The Empress

    that's fine - the only people who shop there are hookers, divorcees, and teenagers using their mom's stolen credit card.

  9. reprobate
    Holmes

    For many a year ...

    For many a year I have been told by retailers that they do not trust my cheques. To which the swift retort is that I don't trust their card machines. Yet another to add to the list of reasons why!

    At present we eventually compromise on cash, but be aware they are working hard through organisations such as "The Payments Council" (made up of banks and big retailers alone) to marginalise cash in just the same way as they marginalised cheques.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like