How to lose 100M transactions a month to the Bad Guys

Over the last few years, there have been several high-profile data thefts resulting from Bad Guys stealing credit card numbers in bulk. There was CardSystems a couple of years ago, and of course, the 90+ million stolen numbers from TJX.

Well, on January 20th – during the President’s inauguration – Heartland Payment Systems announced what may be the largest loss of credit card information ever: 100 million transactions a month! It’s theoretically possible that more cards were compromised in one month’s time than in the entire three years that the TJX systems were being attacked. Over 220 banks have issued notices to cardholders that their cards were affected. And, of course, the predictable class-action lawsuits have been filed.

Details have been sketchy, but I’ve read a few snippets here and there that give me a good guess or two as to how this happened. But first, some background.

The payment card industry imposes on itself certain data security standards, called (creatively enough) the Payment Card Industry Data Security Standard, or PCI DSS. PCI lays down a number of requirements that must be followed by card issues, processors, and the merchants that accept these cards. The standards require formal audits and certification, and having been through a few of them, I can tell you that they’re very specific as to what minimum level of security must be in place.

Among other things, the PCI DSS standards were designed to avoid precisely what happened at TJX, CardSystems, and now at Heartland: the mass loss of cardmember data.

So, what happened? Are PCI DSS standards useless? Well, the attack on Heartland worked because of an issue that the standards don’t address: the Bad Guys snooped on data as it was moving from one (presumably secure) system to the next. Data “in flight” is not required to be protected in any special way, as long as it’s moving within an organization between two secure systems. Furthermore, due to the way the payment card industry has evolved over the years, handing off data from one organization to another sometimes requires that there be no data encryption in place.

So, that’s the vulnerability in the standard that it appears the Bad Guys exploited. How’d they pull it off?

At this point, Heartland is being coy about the details, but they have said that they discovered an eavesdropping-style attack that had been going on for an unknown period of time. As in, this thing could have been there for months. The Bad Guys managed to find a way to tap into the data network inside Heartland at a point where the data was in the clear. Once they had the data in their hands, they simply needed a way to get it back into the Bad Guys’ hands. There are a number of possibilities here, including low-bandwidth uploads to a drop site on the internet, or even easier, uploads via a 3G cellular modem like a Verizon air card. Does this sound similar to the ATM skimmers I wrote about earlier? It should!

So, the only question left is how they got the data. Here, there are a couple of possibilities. The Bad Guys could have found a way to sneak a kind of program called a protocol analyzer onto a vulnerable system – or they could simply have used a built-in analyzer like tcpdump. Then, any captured data could simply be read from that analyzer and uploaded as described above. While the PCI DSS specs require some degree of binary checksumming (a way to make sure that the files on the computer haven’t changed), I’m not sure if Heartland would have detected new binaries. 

The other possibility is using dedicated hardware to do the analysis. It could be as simple as one extra box on a rack, cabled into an analysis port on a switch – something that the Good Guys may never have noticed – or something even more elaborate, such as a passive RMON probe tap. Either way, we’re talking about ZERO specialized pieces of hardware; even the RMON probes can be built out of parts from your local MicroCenter.

A set-up like this might have gone undetected forever. In fact, it probably would have, had the Bad Guys been just a little bit more careful with the information they stole. You see, it turns out that Heartland was NOTIFIED that something bad was going on. A measurable uptick in fraudulent activity was noticed and reported to them months before their January 20 release. It took a specialist team – two of them, if you believe the press release – to take apart the network and find the bug. If the Bad Guys did their jobs right, this should be very very difficult to trace back.

What data was compromised? The Bad Guys got the information from the cards’ magnetic stripes. I wrote about mag stripe skimmers before, and all of the same considerations apply here. As to exactly what they got, it’s a virtual guarantee that the Bad Guys got card numbers and expiration dates. Some transactions likely included the Track 1 data from the card, which includes your name. Finally, there is room in the encoding for the card’s security code, although it’s not clear from reports whether that information was in the compromised data stream.

The most important question, though, is what to do about all of this nonsense. Start by assuming the worst – the Bad Guys have your name, your credit card number, expiration date, and maybe your card’s security code. This isn’t the end of the world in itself, but you DO have to take action to prevent this from causing you trouble down the line. While this is not specifically a major identity theft event, as it stands, it COULD impact your credit report if a Bad Guy uses your card without your knowledge. 

Furthermore, it’s the cardholder’s responsibility to monitor activity on each statement, and to report anything that looks suspicious. That could be easy if you use  program like Quicken to download and manually approve every transaction on every card you us – this is what I do – or it could be exceedingly difficult, to the point of futility, if you have lots of transactions on a card and get paper statements each month. The other danger scenario is if you have extra cards that you never use and therefore don’t monitor. Waiting too long to report fraudulent activity could cost you money.

Heartland declined to provide credit monitoring services to affected users. Partly, that’s because they probably can’t tell who has been affected, since they have no idea when the analyzer was installed. But whatever the case, I think they’re wrong: good credit monitoring services can let you know whenever a negative mark is made on your credit file. It can be much easier to address issues like this immediately, rather than waiting a couple of years and then wondering why your home mortgage application was rejected.

Of course, the best defense is to add a second factor of security to the card itself. Using a transaction confirmation system for risky or nonstandard transactions can go a long way toward preventing any credit problems.

Finally, if you ARE affected by this mess, you should have your bank issue new cards under new account numbers. In fact, you should consider replacing ALL of your cards, since it may be hard to tell which card you used at which merchant during which time period.

Getting a Break in the Case Against Computer Crime

It’s an us-against-them time in IT security. The more bad economic news I see, the more I understand the Bad Guy’s motive. Hacking, once a sport for the well-educated and well-off, is now a desperate measure for financial gain.

How many IT folks have been laid off in the last few months? How many are worried and anxious? How many are really angry on top of it? Attacks have never been more sinister because they’re conducted by really skilled people, sometimes with insider knowledge. Identity theft, man-in-the-middle attacks, malware gone mad – the list is endless, and attacks are growing in number, not just in intensity.

Keeping ahead of these threats keeps many of us up at night. So, this blog and the new Internet Talk Radio Show by the same name, will focus on breaking open cases of data theft, network intrusion, and other attacks on the systems and information us security guys strive to protect.  Each post will focus on a specific threat – looking at how it was (or could be) perpetrated, and how to protect against it.

About my approach: I’ve been blogging on-and-off for several years now while working on a two-factor authentication solution that I believe to be an incredibly powerful tool in the fight against data and identity theft. So as I map out an approach to thwart each attack, I will focus on authentication technologies and issues where applicable. That doesn’t mean I’ll limit which cases I takes on.

But two-factor authentication can do a lot, which is why I’ve continued to work with it, and I’m going to prove it. I love a good challenge. Here’s my two cents about two-factor authentication: Sometimes (incorrectly, IMO) called “strong authentication,” two-factor authentication requires items from two of the following three categories:

• Something you know;
• Something you have;
• Something you are.

Given the expense and complexity associated with biometrics, that means that, practically speaking, two-factor means “something you know” and “something you have.”

There’s a catch, though. The “something you have” must really act like something you have, and not like “something you know”, or the security degrades to several-of-one-factor, which is generally not as strong.

An example of something you have is a cell phone. Here’s an example of something you think is something you have, but is really something you know: magnetic stripe cards, such as credit cards, ATM cards, lots of driver’s licenses, hotel room keys, door lock systems, time tracking systems, and whatever else has that little brown/silver/whatever stripe on the back of the card.

Magnetic stripe cards fool you: While they look like something you have, they act like something you know! What does it mean to “act like” something you know? Well, what are the characteristics of knowledge vs. tangible property?

• You can write down or memorize “something you know”;
• In particular, Bad Guys can copy “something you know” without your, um, knowledge.
• You can easily make a copy of “something you know”;

Now, think again about the magnetic stripe card. While it may be hard for you to make a physical copy of an American Express card, that’s rarely the issue: There are a great many cases where the merchant doesn’t even see the card. (Ever wonder why photographs on credit cards didn’t take off?) Heck, at this point, most modern merchants never see the card at all, even in retail stores-Target, Costco, and most of the other places I shop fall into this category.

So, if the merchant doesn’t see the card, what is it interested in? That’s right, the information on the card-the stuff encoded in the magnetic stripe, the stuff you know. It is not something you have. Something you have can only be in one person’s possession at a time.

I used the all-too-popular, honestly scary magnetic stripe card for a reason. For our first case, we’ll look at a case of ATM fraud, how easy it was for a Bad Guy to siphon a checking account at a public ATM in broad daylight, and why PCI regulations won’t help at all. Stay tuned.

Let the investigation begin….