How to lose 100M transactions a month to the Bad Guys

Over the last few years, there have been several high-profile data thefts resulting from Bad Guys stealing credit card numbers in bulk. There was CardSystems a couple of years ago, and of course, the 90+ million stolen numbers from TJX.

Well, on January 20th – during the President’s inauguration – Heartland Payment Systems announced what may be the largest loss of credit card information ever: 100 million transactions a month! It’s theoretically possible that more cards were compromised in one month’s time than in the entire three years that the TJX systems were being attacked. Over 220 banks have issued notices to cardholders that their cards were affected. And, of course, the predictable class-action lawsuits have been filed.

Details have been sketchy, but I’ve read a few snippets here and there that give me a good guess or two as to how this happened. But first, some background.

The payment card industry imposes on itself certain data security standards, called (creatively enough) the Payment Card Industry Data Security Standard, or PCI DSS. PCI lays down a number of requirements that must be followed by card issues, processors, and the merchants that accept these cards. The standards require formal audits and certification, and having been through a few of them, I can tell you that they’re very specific as to what minimum level of security must be in place.

Among other things, the PCI DSS standards were designed to avoid precisely what happened at TJX, CardSystems, and now at Heartland: the mass loss of cardmember data.

So, what happened? Are PCI DSS standards useless? Well, the attack on Heartland worked because of an issue that the standards don’t address: the Bad Guys snooped on data as it was moving from one (presumably secure) system to the next. Data “in flight” is not required to be protected in any special way, as long as it’s moving within an organization between two secure systems. Furthermore, due to the way the payment card industry has evolved over the years, handing off data from one organization to another sometimes requires that there be no data encryption in place.

So, that’s the vulnerability in the standard that it appears the Bad Guys exploited. How’d they pull it off?

At this point, Heartland is being coy about the details, but they have said that they discovered an eavesdropping-style attack that had been going on for an unknown period of time. As in, this thing could have been there for months. The Bad Guys managed to find a way to tap into the data network inside Heartland at a point where the data was in the clear. Once they had the data in their hands, they simply needed a way to get it back into the Bad Guys’ hands. There are a number of possibilities here, including low-bandwidth uploads to a drop site on the internet, or even easier, uploads via a 3G cellular modem like a Verizon air card. Does this sound similar to the ATM skimmers I wrote about earlier? It should!

So, the only question left is how they got the data. Here, there are a couple of possibilities. The Bad Guys could have found a way to sneak a kind of program called a protocol analyzer onto a vulnerable system – or they could simply have used a built-in analyzer like tcpdump. Then, any captured data could simply be read from that analyzer and uploaded as described above. While the PCI DSS specs require some degree of binary checksumming (a way to make sure that the files on the computer haven’t changed), I’m not sure if Heartland would have detected new binaries. 

The other possibility is using dedicated hardware to do the analysis. It could be as simple as one extra box on a rack, cabled into an analysis port on a switch – something that the Good Guys may never have noticed – or something even more elaborate, such as a passive RMON probe tap. Either way, we’re talking about ZERO specialized pieces of hardware; even the RMON probes can be built out of parts from your local MicroCenter.

A set-up like this might have gone undetected forever. In fact, it probably would have, had the Bad Guys been just a little bit more careful with the information they stole. You see, it turns out that Heartland was NOTIFIED that something bad was going on. A measurable uptick in fraudulent activity was noticed and reported to them months before their January 20 release. It took a specialist team – two of them, if you believe the press release – to take apart the network and find the bug. If the Bad Guys did their jobs right, this should be very very difficult to trace back.

What data was compromised? The Bad Guys got the information from the cards’ magnetic stripes. I wrote about mag stripe skimmers before, and all of the same considerations apply here. As to exactly what they got, it’s a virtual guarantee that the Bad Guys got card numbers and expiration dates. Some transactions likely included the Track 1 data from the card, which includes your name. Finally, there is room in the encoding for the card’s security code, although it’s not clear from reports whether that information was in the compromised data stream.

The most important question, though, is what to do about all of this nonsense. Start by assuming the worst – the Bad Guys have your name, your credit card number, expiration date, and maybe your card’s security code. This isn’t the end of the world in itself, but you DO have to take action to prevent this from causing you trouble down the line. While this is not specifically a major identity theft event, as it stands, it COULD impact your credit report if a Bad Guy uses your card without your knowledge. 

Furthermore, it’s the cardholder’s responsibility to monitor activity on each statement, and to report anything that looks suspicious. That could be easy if you use  program like Quicken to download and manually approve every transaction on every card you us – this is what I do – or it could be exceedingly difficult, to the point of futility, if you have lots of transactions on a card and get paper statements each month. The other danger scenario is if you have extra cards that you never use and therefore don’t monitor. Waiting too long to report fraudulent activity could cost you money.

Heartland declined to provide credit monitoring services to affected users. Partly, that’s because they probably can’t tell who has been affected, since they have no idea when the analyzer was installed. But whatever the case, I think they’re wrong: good credit monitoring services can let you know whenever a negative mark is made on your credit file. It can be much easier to address issues like this immediately, rather than waiting a couple of years and then wondering why your home mortgage application was rejected.

Of course, the best defense is to add a second factor of security to the card itself. Using a transaction confirmation system for risky or nonstandard transactions can go a long way toward preventing any credit problems.

Finally, if you ARE affected by this mess, you should have your bank issue new cards under new account numbers. In fact, you should consider replacing ALL of your cards, since it may be hard to tell which card you used at which merchant during which time period.