Wednesday, March 19, 2008

Does Hannaford Hack Suggest PCI Standards are Flawed?

A security breach of one of our nation's grocery chains computer system may have exposed 4.2 million debit and credit card numbers to theft, making it one of the largest such cases in the nation. Hannaford Bros. says it has secured its credit and debit card transaction system to block future unauthorized access and the Secret Service is investigating. So far, 1,800 cases of fraud are linked to the breach.

Kevin Mandia, president of Alexandria, Va.-based computer security firm Mandiant Corp., said retailers are most vulnerable during the processing of the credit or debit transaction. Hackers can create a type of software called a "sniffer" that acts like a wiretap and can intercept credit and debit card data as it travels between the retailer's point of sale and the credit card processing company. It can be very difficult to detect sniffers.
While the banks appear all but ready to blame Hannaford for failing to follow payment card industry standards on security, there are signs that this may be the first of many cases to surface this year wherein the affected retailer was hacked even though it appeared to be following all of the security rules laid out by the credit card associations.

Editor's Note: What does this have to do with HomeATM you ask? The highlighted sections below underline deficiencies (in the brick and mortar world) where deficiencies should NOT exist and where HomeATM has already taken precautions designed to alleviate these new concerns.

The Boston Globe's Ross Kerber today writes that Hannaford is still investigating
the specifics of how the data was taken, but that the company's chief executive said the data "was illegally accessed from our computer systems during transmission of card authorization." Translation: The hackers snatched the credit/debit card data sometime between when the customer swiped their card in the reader at the register and when that transaction was approved.

Editor's Note: If the passage in the second highlighted area is correct, then the revised PCI-DSS standard is flawed.

The Globe story continues: "What could make the Hannaford case unusual is that since last spring its stores have met industry standards regarding how customer data is stored and maintained, Eleazer said. Many other retailers victimized by breaches, including TJX, had been faulted for lax security. It's too soon to know whether Hannaford's case will warrant the consideration of further security reforms, said Ted Julian, vice president of strategy at Application Security Inc., a New York database services company."

Brian Sartin, vice president of investigative response for Cybertrust, a division of Verizon said a great many retailers have taken extra precautions to ensure that any credit or debit card data they store is properly encrypted and secured.

Sartin said his team is currently responding to a number of data breaches in which hackers have targeted financial data as it is being transferred from the retailer to the credit card processor and back.

While the payment card industry standards require retailers to encrypt payment data when it traverses public networks, that requirement does not necessarily apply to a company's own internal, non-public networks, Sartin said.

"I would say a trend we're seeing hitting a lot of retailers right now is that these organizations can be [compliant with the credit card industry security standards] and still have customer data stolen," Sartin said. "The data in transit is allowed to traverse private links and internal infrastructure without being encrypted, and the attackers are taking advantage of that."

Editor's Note: According to George Gendron, President of HomeATM, "Contrary to current practices – and a function that HomeATM has presented a patent application on – HomeATM decreases the chance of hacking during transmission by not only encrypting the PIN, but also the PAN prior to transmitting."

Sartin declined to say whether this dynamic was at work in the Hannaford case (his company had been retained by a party involved in the breach). But he noted that Cybertrust has found with a number of very recent compromises that attackers have seized control over the very terminals that control cash registers or point-of-sale systems within a retail store, or the server through which all registers connect to pass transaction data out across the Internet to the store's payment processor. Once these systems have been compromised, Sartin said, the attackers typically eavesdrop on the network using "sniffer" programs that can extract credit and debit card data as it moves across the wire, before it even leaves the store's network.

Indeed, attackers appear to be exploiting the letter - if not the spirit - of the payment card industry standards, said Tom Kellerman, vice president of security awareness at Core Security.

Kellerman said many retailers not only fail to encrypt financial data while it is being moved around inside the stores, but they also fail to understand that encrypting data is meaningless if the merchant doesn't also harden the security of the computers that power the point of sale systems.

Already, there are signs that 2008 may turn out to be a record-breaking year for retailer and card processor data breach disclosures. Kevin Mandia, president of Mandiant Corp., an Alexandria, Va.-based company that specializes in investigating data breaches, said his firm responded to more credit card losses in the past year than in any prior 12-month period. "It's early in the year, but the tempo [of data breaches] has been very heightened since the summer of 2007 and maintained the same barrage," Mandia said. "We're seeing at least two new companies a week discovering that they've lost credit card numbers, and at the rate we're going [the criminals] are going to exhaust U.S. retailers as targets.

Disqus for ePayment News