RSSWhat lessons can we learn from the Heartland credit card breach?
By Sharon Fisher | Published January 21, 2009, 5:03 PM
The company's response is raising troubling questions about the security of such processing centers and laws ostensibly intended to protect consumers in general.
Millions of credit cards per month, primarily used in restaurants, could have been exposed to hackers who broke into the Heartland Payment Systems processing center network, in an incident the company said Tuesday took place the previous week.
Heartland began looking into the problem after it received reports from MasterCard and Visa about reports of suspicious activity. In addition, the company advised cardholders to check their monthly statements for suspicious activity, because the potentially stolen data could be used to generate new credit cards. However, because it said there was no personally identifiable data such as Social Security numbers in the data, cardholders didn't have to worry about identity theft.
That's the official story.
Heartland did not respond to requests for an interview, and the US Department of Justice, with which the company has been working, said it couldn't comment. But interviews in other media sources indicated that a malicious piece of software had been placed in the company's network for "more than weeks" and had been "sniffing" for card numbers using keylogging software.
Now, what's wrong with this picture?
- We don't know how long the software was in the system It could have been there for a much longer time, and not been turned on to capture numbers. Alternatively, numbers could have been captured for a very long time, but did not start becoming used until late in 2008 -- perhaps hoping they would be disguised in the busy holiday shopping season. Heartland isn't saying, if indeed it even knows. So the problem is conceivably much more than "last week," or even "last month." In fact, some people, such as security analyst Michael Argast of Sophos, wonder whether Heartland deliberately released the report on Tuesday, when the nation was occupied with the Obama Inauguration. The company denies this.
- Heartland did not discover the breach itself during its normal course of business, but only when it was notified by Visa and MasterCard - which is also hampering them in trying to determine the scope of the problem, said Argast. "If they had good auditing and logging practices, they would have been able to determine exactly when the attack occurred and what data was lost." "Why can't we periodically do more detailed forensics investigations of our own networks?" agreed Bill Sieglein, former US Intelligence Staffer and now CEO of the CSO Breakfast Club, a consortium of top Chief Security Officers across the US. Other analysts disagree. "If you can compromise the system processing credit cards, you can compromise the system that generates the log," said Mark Bower, director of information protection solutions for Voltage Security.
- People whose cards may have been breached aren't being notified. In fact, Heartland won't even give the names of the sorts of businesses that use its services -- using as justification laws that are supposed to help consumers by making sure they're notified of such breaches. "They are hiding behind state disclosure laws" that say such companies don't need to inform consumers as long as law enforcement is involved, said Dan Clements, President of CardCops, a division of the Affinion Group. The point of such a loophole, which was in the seminal California identity theft law since copied by 44 other states, was to give law enforcement the opportunity to arrest people before the breach became public, but companies are using it to give themselves "wriggle room," he said.
- We don't know whether it was an inside job -- which could be repeated. "We've seen insiders like IT managers, who maybe didn't get a raise, leave back doors open on servers behind firewalls," said Clements. Malicious hackers could then put keylogging on the servers, and compensate the insider, he said. "It's hard to prove an IT administrator looked the other way or didn't patch something."
- If it's not identity theft by the book, it may as well be. While it's true that the stolen data could not be used directly for identity theft, it could be used to help identity thieves know where to look, Clements said. They can tell from a card number whether it's a platinum card, look up the owner of the card number, and then use other sources to obtain information about that person. "They will piece you together, if they feel you're a valid candidate for identity theft," he said.
- We're not even sure this is an isolated incident. We don't know whether similar problems might be going on at other processing centers. Heartland is one of the five biggest, Argast said. So what about the other four? In fact, such processing centers are increasingly the target for thieves who want to avoid the middleman; Royal Bank of Scotland's processing arm for its gift and payroll card business was targeted in December.
Some security specialists -- particularly those who sell encryption software -- are suggesting that end-to-end encryption is needed. "Where this breach has taken place is in an 'air gap' in encryption," said Bower. When the data is collected by Heartland, it may be encrypted and follow other best practices and specifications collectively known as Payment Card Industry Data Security Standard (PCI DSS), but internally it decrypts the data to send it to MasterCard and Visa, and that's where it can be compromised, he said.
Sieglein also suggested improved encryption was necessary at the database level. "We need to get serious about data encryption and find ways to efficiently encrypt full databases at rest in a way that allows that data to protected, but also allows the applications that need that data to decrypt it quickly so as not to add undue latency," he told Betanews.
However, keeping the data encrypted causes a problem because then it doesn't "look like" a credit card number any more, which causes problems in other software. A technique known as "format-preserving encryption" encrypts data without having to rewrite all that software, Bower said.
What should people do?
- Look at statements and accounts and "watch them like a hawk," Clements said, especially for little charges -- as small as 35 cents, perhaps charged to a charity -- that are placed to help thieves determine whether a card is valid.
- Even if you get a new card from your bank, change the PIN, Clements said.
- Vendors in this area have a whole "laundry list" of tasks to perform, including better auditing practices, better monitoring, better logging, network intrusion protection, stronger malware protection, and detection of behavioral problems, Argast said.
But until the problem is dealt with on an industry-wide basis, "Expect to see more of this," Seiglein advised. "As long as criminals have a lucrative target and some modicum of success, they will continue to pursue the treasure. We've got to make it more difficult to get the treasure."
Over the last year I've seen that the bigger and more important a company is, the lesser they care about secuirty, privacy, or IT staff.
"the kid down the block" is what the majority of companies hire to do their IT work.
I'm SHOCKED that a corporation like this allowed remote access, did not do 3rd part audits, and the management did not ask\ensure things were secured.
As for them blaming the IT manager because they got turned down for a raise, that sounds like a typical escape goat rapp. I guess a local bank that uses these guys are affected by it too.... Glad I do not do business with them!
Score: 0
|I am a small retailer who just signed to begin processing with Heartland tomorrow. Somehow the news of all this didn't reach me until now. I guess like others I was focused on our new president taking office. Should I try to pull the plug before the install tomorrow, or just go with them. Are they no more vulnerable than anyone else?
Score: 0
|I actually was a "victim" I guess you could say with this entire thing. I used my card on approx Jan 11th and it was declined.
Some of the credit card companies are taking an offensive and saying, "F*** you guys, we're not waiting until you tell us which numbers are affected, we're being proactive!"
After calling my CC company and inquiring why my CC was declined, I was asked approximately 20 or so questions (or so it seemed) and then informed my old account number is defunct, will never work again, and that my new card will arrive by mail. I was shocked, but at the same time relieved that I had not seen any purchases that were out of the question.
If you couldn't tell, I have come to like my CC company. This is the second time they've protected my account from hooligans. The only problem was I had to wait for them to "overnight" a new card (it was Sat, and I ended up not receiving it until Tues night.) ... I was, in essence, cardless for three days straight. (not going to lie, it was slightly horrible waiting for it)
Score: 0
|"What lessons can we learn from the Heartland credit card breach?"
Ah.....I'll stick my neck out and make a guess that best practices in Information Assurance are important.
Score: 0
|There is an international standard for secure face to face or online card transactions. Its EMV. On top of which 3dSecure offers web payment security. Etc...
It was imposed to the world by Visa and MasterCard, but not the US......
PCI DSS only exists because the US has not migrated to chip cards (EMV). Maybe its time now.
Score: 0
|Secure huh?
If only. For every strength, there is a weakness.
EMV and chip based solutions are worthless for over the phone transactions.
And 3dSecure is subject to phishing and man-in-the-middle attacks.
The real solution is as Tool has mentioned.
Judicious application of security best practices and audits to test and verify.
And anyone still using WEP (or WPA for that matter - now that 802.11i-AES/aka WPA2-AES is readily available - be it personal or enterprise deserves to be hacked.
Score: 0
|When you have Payment Card Industry Security Standards (PCI DSS) that is only going to curtail the use of WEP security standards for the wireless transmission of confidential account information in 2010 (!!!), what do you expect?
There are effectively no current procedures in place, and even less incentive to impliment them, as evidenced by the change to require WEP be dropped in 2010 that was ONLY made only a few months ago in late 2008!
As long as the exposure and penalties for doing nothing are less than the cost of implimenting said security controls, we will continue to see the cost/benefit analysis accountants prevail, just as we did in the infamous Pinto exploding gas tank scandal of the 70's, where Lee Iococa (remember "Mr. Safety"???), then with Ford who decided that paying the few settlements for being responsible for a few 'crispy critters' resulting from accidents was cheaper than paying the ~$3-$5 to retrofit the myriad Pintos on the road.
The more things change...
Score: 1
|Capitalism at its finest. [smiles] And some say that regulations aren't needed. How short sighted and stupid they are for saying that.
Score: -1
|Regulations aren't needed. :)
Security Audits are. This can easily be avoided by following some *very* simple and *very* old (relatively speaking) security protocols.
But as usual, sjc001 jumps on the "anti-capitalism" bandwagon and completely misses the point.
Go figure... Now quick! Call me some made up word that you and 3 other people think are "cool"!
Score: 0
|Regulations ARE needed. Without a heavy penalty, kindly corporate types will not spend the money needed. I have no recourse if regulations/laws are not broken.
The Free Marketplace wonder puppy needs its nose slapped. Fortunately, I think its on its way to the pound...
Score: 0
|The heavy penalty is the lawsuits brought to bear as a result of their inability to follow besic security guidelines that have been in place and well documented for *ages*.
The government can't even keep it's own laptops clear of restricted data theft, you want to expand their incompetence to private corporations (many of which now seem to be incompetent enough in this regard on their own?)
Score: 0
|Tweenboy has no clue. Capitalism, socialism, (both terms he fails to understand) have no bearing on security procedures. And regulations, regardless of how many you have or add, don't matter if they are not followed and effectively implimented.
And as if more regulations will result in criminals ceasing to attempt to compromise valuable resourses.
Gee, if we just had more laws against murder, the crime would disappear. Funny, its so often the same ones yelling for more regulation who are in so many cases the same ones arguing against capital punishment.
But such concepts are far beyond the understanding of a dweeb who thinks using his TV as a monitor is somehow an advanced concept and something to brag about! LOL!
Score: 0
|