In the name of profit Target and Home Depot refused to protect customers; now customers' credit cards are stolen

In the wake of a stunning data breach at America's largest home improvement retail chain, The Home Depot, Inc. (HD), a stunning picture of negligence is slowly emerging. Both Home Depot and Target Corp. (TGT) -- whose registers were compromised last December -- appear to have fallen victim to a decade-old exploit of Windows XPe.

What's more, these losses -- which may total as many as 100 million customer credit and debit card numbers -- could have likely been prevented by simply paying to upgrade to a more modern Microsoft Corp. (MSFT) operating system, such as Windows 7 for Embedded Systems. But since Target, Home Depot, and others have refused to protect customers, customers are now paying the price. Banks are scrambling to try to control the damage of these massive intrusions perpetrated by hackers in Russia and Ukraine. But much damage is already done and will yet be done due to retailers' appalling technical negligence.

I. Windows XPe -- The OS Behind Retail's Credit Card Breaches

This week Brian Krebs, a top security research affiliated with The Washington Post, wrote in his blog Krebs on Security fresh details of a hack that potentially compromised millions of Americans' credit cards. Mr. Krebs had broken word of the hack last Tuesday, writing that it appeared to be the work of Russian hackers. Now he's offered up fresh details on the malware they used to siphon credit card numbers (CCNs) from checkouts of Home Depot.

The hack was first noticed sometime in the last month or two after bank fraud prevention specialists began to notice a reoccurring pattern of fraud, abuse that was correlated with customers who shopped at the retail giant.

Home Depot
In need of repairs: outdated softwae at America's largest home improvement retailer led to yet another loss of millions of customers' credit card numbers. [Image Source: Reuters]

The new report reveals that Home Depot's registers -- most of which are believed to still be running the aging point-of-sale versions of Windows XP or a derivative -- were infected with a kind of malware which was also installed on registers during the massive Dec. 2013 hack of Target.

To understand this malware, it's crucial to first understand its host -- a badly aging Microsoft operating system, that's behind the times security-wise, but still broadly used in the world of retail. The OS in question is a derivative of Windows XP, one of the most popular consumer OSes in history.

The version used by retailers is known as Windows XP Embedded (aka Windows XPe). It launched a month after the consumer version of the 14-year-old OS, in Nov. 2001.

According to Wikipedia, Home Depot was indeed using the original Windows XPe Service Pack 3 (SP3) on its point-of-sale (POS) devices (aka, registers in layman's terms). An article on Wikipedia reports that the chain uses the "Zune" theme, which was released in Nov. 2006 by Microsoft. The theme features dark grey windows tops and an orange Start Button, a departure from the standard green start button in Windows XP/XPe.

Target was also believed to be running the same aging OS -- Windows XPe SP3 -- on its PoS hardware. A Jan. 2003 press release from Microsoft rather ironically mentions both retailers in the same paragraph, indicating they adopted the OS late in 2002. It writes:

Retailers taking advantage of Microsoft .NET-enabled solutions include Rite Aid Corp. and Metro Cash & Carry, which are equipping retail stores with point-of-sale (POS) systems based on the Windows® XP Embedded operating system; Target Corp., which plans to deploy Windows XP Embedded in its Target and Mervyn's Stores; Best Buy Co. Inc. and 7-Eleven Inc., which are using Windows XP Tablet PC Edition in their corporate and store operations; and, most recently, Home Depot Inc., which has chosen to update its store point-of-sale terminals with Microsoft technologies because of their high degree of flexibility.

That sentence is painfully ironic today, as it ultimately reveals the root of one of the biggest successful cybercrime campaigns in recent history.