Magstrip Mayhem – Target Corp's achilles' heel
symbol. The United States commerce and payment card standard lags far behind in the implementation of this security feature. The United States point of sale terminals are mostly reliant on magnetic strip card reader technology (aka MagStrip.) Magstrip data is easily duplicated (stolen) with a $50 reader-writer available from many online 3rd parties. According to iSight Partners Inc and the US Department of Homeland Security, 70 million credit card numbers were stolen at Target stores from Point of Sale cashier magstrip readers via the Kaptoxa malware virus which ran from 10am to 5pm on Target Corp’ s own server. Kaptoxa is the non Cyrillic spelling of the Russian word for potato. Kaptoxa virus has been identified and defeated by antivirus vendors since 2012. The virus can be bought online from the black market for around $1000 USD. Its author has been identified as Sergey Tarasov who is a 17 year old from St Petersburg, Russia. Tarasov wrote the malware but was not involved in the Target Corp exploitation. Corporations in the United States are notorious for snubbing security in exchange for higher risks and lower up front expenditures. A move to adopt payment card embeded chip technology to avoid such an easily identified threat is not unreasonable but is certainly political. The National Institute of Standards and Technology (NIST) makes claims and protestations that interopability of smart cards is difficult. Perhaps the truth lies closer to the United States payment card industry’s insistence of dominating American standards with government participation. For more info and reading see NIST’s presentations. ]]>