Analysis: Home Depot Breach DetailsWhy Anti-Virus Didn't Stop POS Malware Attack
New allegations have emerged about information security practices at Home Depot in the wake of the retailer confirming that it suffered a data breach, resulting in the theft of an unknown quantity of credit and debit cards details.
Home Depot was using an older version of Symantec's anti-virus software on its point-of-sale devices, reports Bloomberg, quoting unnamed former managers. Those managers also allege that while Home Depot had purchased software designed to encrypt credit card data when it was being sent from POS devices to central servers, it had yet to implement the software. And the managers allege that the company's technology executives were underfunding the home improvement and construction retailer's information security program, leading to higher-than-average levels of security staff turnover.
Home Depot didn't respond to a request for comment from Information Security Group on the Bloomberg report. But spokeswoman Paula Drake told Bloomberg: "We're continually working to enhance our IT security to protect customer data, and we've taken aggressive steps to address the malware in this breach." She added that "it wouldn't be appropriate for us to comment on such rumors and speculation in the midst of our investigation."
Stolen Card Numbers Still Valid
Full details of the breach aren't yet known, including how many of the retailer's 2,155 stores in the United States and Canada may have been affected, and how many customers had card data exposed. The breach appears to have begun in April and wasn't detected by Home Depot until Sept. 2, after it received warnings of unusual payment-card activity from financial services firms and law enforcement agencies.
Based on the stolen card data now for sale on the Rescator carder forum, it appears that card issuers have yet to identify all of the card numbers that attackers obtained. "There are now 13 different card databases associated with the Home Depot breach for sale [and] each batch is still advertising '100% valid, no replacements,'" Dan Ingevaldson, chief technology officer at fraud prevention firm Easy Solutions, tells Information Security Media Group. "This indicates that [Rescator] is highly confident about the chances that these cards can still effectively be used successfully for fraudulent transactions. There appears to be nothing slowing down the active resale market for stolen home depot cards."
The stolen cards are currently retailing for between $9 and $50 each, he says, with business cards, platinum levels and American Express Centurion Cards commanding higher prices, and debit cards selling for less.
Anti-Virus Didn't Stop Attackers
Former Home Depot managers told Bloomberg that Home Depot was still running Symantec's Endpoint Protection 11 anti-virus software on its POS devices, which was introduced in 2007. Symantec subsequently introduced Endpoint Protection 12 in 2011, and plans to end support for the previous version come Jan. 5, 2015.
Bloomberg describes the version 11 anti-virus software as being "out of date." But technically speaking, the anti-virus is still supported by Symantec and receives anti-virus-signature updates.
In the bigger picture, furthermore, the anti-virus software was irrelevant, contends Chester Wisniewski, a senior security advisor at anti-virus vendor Sophos. "A smart attacker in a targeted environment will always bypass your anti-virus," he says, and especially if they're trying to take down a retailer the size of Home Depot. "If you're hitting something of that scale, you say, 'Oh they're running Symantec, or McAfee, or Sophos,' and the first thing the bad guy is going to do is download the software for free with a 30-day trial, write a virus that works on it, then hit it. These guys aren't stupid."
The key question is whether the incident was an opportunistic or targeted attack, Wisniewski says. "Because if it's opportunistic, having a good foundation - a good anti-virus and firewall - will thwart the vast majority of attacks," he says. "But if you're targeted, those become less useful and you have to fall back to other mechanisms."
The Bloomberg report also claims that Home Depot had purchased a security tool from Voltage Security designed to encrypt card data when it was being transferred from POS devices to a central server, but had not yet implemented it, thus suggesting card data was being transmitted internally in unencrypted fashion. Contacted by Information Security Media Group, a Voltage Security spokeswoman declined to comment on that report.
While encrypting that card data would have been a good security move, memory-scraping malware - including BlackPOS and Backoff - can pull card numbers from the memory of the POS device. "All of these things go through memory looking for unencrypted credit card data," Wisniewski says, meaning attackers wouldn't have had to bother trying to intercept unencrypted data in transit between POS devices and servers.
Would EMV Help?
Using more up-to-date anti-virus products or encryption tools might not have stopped the Home Depot breach, Wisniewski says. "What will stop it is if payment terminals stop transmitting credit card numbers," he says, which is a feature of EMV-compatible systems, when used with EMV or "Chip & PIN" cards.
"One of the benefits of Chip & PIN is that your credit card number never makes it into the memory of the payment terminal - all it gets is a transaction ID that says, this transaction was approved," he says. "In the U.K., since the introduction of Chip & PIN, retail fraud is down 83 percent - and of course, online fraud has doubled,' Wisniewski says. "It's not like there's less fraud, it's just that crooks stop targeting retailers, and go online, or they steal the stripe from your card in the U.K. and give it to a crook to use here [in the United States]."
Unlike most of the rest of the world, the United States is only now pushing EMV-compatible cards backed by a Chip & Signature system. Regardless of the signature requirement, when EMV cards are inserted into an EMV card reader, rather than their magnetic stripes being swiped, the card numbers don't end up in device memory, thus helping to mitigate the danger of RAM-scraping malware.
The Target breach, and other retailer breaches earlier this year, are believed to have involved the BlackPOS malware. In late August, security firm Trend Micro published a technical analysis suggesting that the malware behind the Home Depot breach was a BlackPOS variant, meaning the same gang might have been behind both attacks.
But some security experts have disputed the supposed technical connection. "As a malware analyst, I've looked at a number of point-of-sale malware families, such as BlackPOS, Alina, JackPOS, Chewbacca, Dexter, and most recently Backoff. So my ears perked up when I heard about this new BlackPOS variant," says Nuix malware researcher Josh Grunzweig in a blog post. "After careful review of both samples, I don't believe the sample in question is actually part of the BlackPOS malware family. While I thought Trend Micro's technical analysis was fantastic and overall a good read, it does not clearly identify a connection between the two samples."
Some other information security experts have backed Grunzweig's analysis. "There are lots of variations of POS malware, which is really using absolutely the same techniques for Track 2 data interception, but pretty different for stealthing, whitelisting, C&C communications and additional payloads," says Andrew Komarov CEO of cyber intelligence firm Intelcrawler, referring to the command-and-control channels used by malware.
Al Pascual, director of fraud and security research at Javelin Strategy & Research, offers a similar assessment. "Given the number of differences in how this malware was written and functions, it's clear that they are not in the same family."
But just because the malware differs doesn't mean the attackers do. "While it may have been written differently, we cannot discount the possibility that the same group was responsible for both," Pascual says. "Cybercrime outfits recruit various coders, and are not tied down to a single methodology. What we could be witnessing here is simply smart planning - while everyone is out looking for BlackPOS, they didn't notice the new guy across the street.
"The timing of the breach - so soon after Target; the target - a major U.S. retailer, which is no simple feat; and where the card data is being sold - Rescator - clouds the picture as to who is ultimately responsible," Pascual says.
(Executive Editor Tracy Kitten also contributed to this story.)