why in the world are POS systems connected to the internet on public ip addresses?
security considerations aside, this is also more expensive and harder to implement than a private net. so someone actually sat down, and made this decision deliberately.
why in the world are POS systems connected to the internet on public ip addresses?
Historical reasons? target does has a /16.
They can probably fill that block many times over now, but it would make sense that their numbering scheme has historical roots and to continue using that space for interstore communication today. They got it in 1993, back when we were still pretending like exhausting the v4 space wasn't a thing and before everyone started acting like the fact a many-to-one NAT requires what is effectively a statefull firewall somehow offered a security advantage you couldn't get by just writing those firewall rules.
I was at an organization with a large v4 block once. It took a few years of having my desktop, laptop, and cellphone wifi connections all with routable v4 addresses before I stopped thinking it was weird, bad design and really came to appreciate: "oh shit, this is how the internet is supposed to be and it is so much nicer to work with."
I don't think the Target POS terminals were on the Internet. The Brian Krebs article stated that the hacker compromised an externally facing web server and used that as a bridge to get into the corporate (private) network.
Since the POS terminals were all running a variant of Windows, it might have been as simple as querying the Active Directory to find out where everything was located within the Target network (at least for the Windows machines). Comments in the Krebs article also speculated that they exploited an account with a BMC systems management tool used at Target as well.
It wouldn't be a best practice to isolate the POS environments from all the other internal systems. Pricing, items, taxes, offers, coupons, etc. are all separate systems on the corporate network. They all need to communicate to the POS. It isn't realistic to air gap the POS at a business the scale of Target.
PCI rules just state the cardholder data environment (CDE) needs to be segmented from the rest of the corporate network (in addition to many other obligations). That would usually be done with VLANs and firewalls, but both are still on the same layer 2 network.
you only allow the POS system to be reachable by systems that ABSOLUTLY need to. NOT! every tom dick and harry in marketing - you can do a nightly dump of finance data off this network for data warehousing analytics and what have you.
Depends on how you define airgapping. If it's a fungible "you know what I mean," well then obviously yes. If it's an actual air gap, then no.
Practical business requirements on inventory management, sales metrics, system administration and (funnily enough) payment processing all prevent a register network from being airgapped. If you want to say their protection of those communication channels was shit, well, we already have proof it was. But airgapping? Not so much.
they had some lazy method where an admin could log in and update all the POS systems at once. of course this was not done using ssh keys and probably weak password + gui
A lot of POS systems are entirely online based these days (even hip ones like Square https://squareup.com/sell-in-store). I haven't read anywhere that Target's POS were online, this was a forum where the author was demonstrating how his software worked and Target was not part of it. There haven't been a lot of details released, but from what's known now is that an online facing server was compromised and that was used as a hopping off point to get to the POS.
The days of phoning in with a 1200-baud modem or collecting embossed card impressions are long gone.
A typical small-shop retail arrangement is to have the POS terminals behind a NAT router which is behind another NAT router that also serves up the customer-convenience WiFi AP.
When a terminal wants to put through a charge, it simply makes an HTTPS request to the payment processor. One or two seconds later, the request comes back, declined or accepted and here's the approval code. At that point, the POS sanitizes away the credit card details and applies the credit tender. Enjoy your latte, ma'am!
To hack such a system, you need to get onto the POS LAN. E.g., maybe there's a store server on the with an SSH login, which you've uncovered after breaking into the corporate above-store network. Or maybe a disgruntled employee installs malware from a USB stick.
Then you exfiltrate the captured swipes, hopefully without leaving enough tracks to get caught. E.g., the malware periodically uploads the intercepts to some FTP site to which you can get access. Or, in the case of the disgruntled employee, it could simply involve dragging the files to the USB stick.
Between the store and the payment processor, we should be safe, given we're using HTTPS. However, payment processors have themselves been hacked. E.g., Heartland†.
The terminals need to send sales data, receive updates of all kinds, and be available for remote access. I do POS support and connect to stores all over the world via public IP for troubleshooting.
security considerations aside, this is also more expensive and harder to implement than a private net. so someone actually sat down, and made this decision deliberately.
pretty fucking amazing, if you ask me.