Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Neiman Marcus says 'complex' malware defeated its security

Jeremy Kirk | Jan. 24, 2014
Neiman Marcus was unaware attackers had harvested payment card details until six weeks after the activity had ended, when its merchant processor zeroed in on a fraudulent spending pattern.

According to Kingston, Neiman Marcus' systems exceed the Payment Card Industry's Data Security Standard (PCI-DSS) requirements, a set of security best practices around handling card data.

PCI-DSS does not require encryption of network traffic within a retailer. Data from cards swiped at Neiman Marcus passes through a point-of-sale device's memory, "then is transmitted through an encrypted tunnel to a central point on our network," Kingston wrote.

"The data is then forwarded through a firewall to the merchant payment processor over a dedicated circuit," he wrote.

Kingston described the malware used as "complex and its output encrypted."

Its investigators analyzed the encryption algorithm and created a script that allowed them to decrypt the information it scrambled, which showed "payment card information had been captured," Kingston wrote.

Security experts believe a variant of "Kaptoxa," also called "BlackPOS," was used against Target. The malware was spotted by security companies as early as March 2013. It wasn't clear from Kingston's letter if Kaptoxa is the same malware used against Neiman Marcus.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.