How criminal gangs played a role in retail security breaches
HARI SREENIVASAN: Another story that we wanted to follow up on tonight is the state of credit card security, or lack of it. This following discourse is about major security breaches at big retailers, including Target and Neiman Marcus. Now new details are emerging about who was behind it, and how it was accomplished. For more we are joined now, from Washington, by Mike Riley with Bloomberg News. So, there was a big report out - it started to layout the details. How do these hackers get all the credit card numbers?
MIKE RILEY: So, they have a pretty sophisticated piece of malware that goes on the point of sales system itself, so that is the terminal that sits in front the the cash register that we all swipe our cards on. So, the malware goes there and it takes advantage of a quirk, where within that machine, all that information that is taken off that card is sent from one memory chip to another. It is not encrypted in that process, and they grab it right there.
HARI SREENIVASAN: And so, who is writing this malware?
MIKE RILEY: It looks like it is Eastern European or Russian criminal gangs. Some of the most sophisticated hackers in the world are Russian or Eastern European. What they have done is they have gotten really good systems. It is like a supply chain that you can buy pieces of malware. If you are good enough, as in this case - they have bought a specific piece of malware, called Black POS. It is a pretty good piece of malware to begin with, but then they customized it. They made it better. They made it harder to find, and then they figured out a scheme to get into Target's computers, and stuck it on the point of sales system. It is also pretty clear that the same gang, or a group of different hackers using the same malware, are targeting other retailers. We have not seen the end of this.
HARI SREENIVASAN: Ok, so what are they doing with all this information once they have it? I mean is it being sold in the black market?
MIKE RILEY: Yes, there is an incredible sufficient supply stream that goes from the theft to the actual sales, so a lot of these are sold in what is called "carter forums." These are basically websites that you can get on and buy cards in bulk. But, it is a pretty sophisticated system, so you can buy cards based on the country of origin. You can buy cards based on the credit limit you want. In many cases the carter forum will guarantee that the cards have not been canceled when you buy them, and if you find out they are canceled they will give you your money back.
HARI SREENIVASAN: So, what is the threat to consumers? If the banks are kind of on the hook for this, besides the inconvenience of having to get a new card, what could go wrong?
MIKE RILEY: Yes, I think this is, from the consumer point of view, it really is, first of all, a convenience issue, especially in the case of the Target hacks and Neiman Marcus. I mean this happened right around the holiday season. One of the responses to this hack, because it was so big and you have forty million credit cards from one merchant that were taken, is the card issuers were taking immediate steps to try and control their loses, which means they were limiting the amount of money you could use to purchase from one POS system. They were, in some cases - your card would get - if they identified that your card has been sold under, and used fraudulently they would cancel it. Then you would have to wait a couple of days to get a new card. You know, normally that is not much of an inconvenience, during the holiday, Christmas shopping season though, that could have been a big deal, especially if you want to buy a television set. You don't have enough space on your card.
HARI SREENIVASAN: All right. Mike Riley from Bloomberg. Thanks so much.
MIKE RILEY: Sure, you got it.