The Last Watchdog

on Internet security by Byron Acohido

Hannaford data heist shows limits of PCI

Posted on | March 24, 2008 | 3 comments

Placing the burden on merchants to protect our sensitive data clearly is not a panacea. The hack/heist of 4.2 million customer transaction records from the Hannaford Brothers’ supermarket chain emphatically makes that point.

As we’ve previously reported, TJX similarly lost 94 million customer records–partly because it failed to comply with the Payment Card Industry-Data Security Standards, mainly enforced by Visa and MasterCard.

But the Hannaford Brothers were PCI compliant—and still got ripped off.

The U.S. Secret Service is investigating the possibility data stored on the magnetic stripes of customer payment cards, including the PIN and CVV2 numbers, may have been taken. If so, this means the missing Hannaford mag stripe data can be readily used to make fraudulent online purchases.

“Cyber criminals have consistently found ways around the latest security technologies and will continue to do so,” says Pat Dane, chief revenue officer at MyPublicInfo,

PCI can give many merchants “a false sense of security,” says John Pironti, Chief Information Risk Strategist at Getronics. He says the bad guys have deep knowledge about how to circumvent security controls specified by PCI, “and are well on the way to working out the others.”

In fact, Pironti says that by stating it is PCI compliant, a merchant can actually give data thieves “a roadmap of the controls which you have in place which they can then circumvent.”

Given that risk, implementing database monitoring and encryption are relatively simple and inexpensive, says Ron Ben-Natan, CTO of Guardium. And yet many organizations continue to believe “it won’t happen to us,” he says.

To further complicate the issue, compliance, security and privacy fall under the IT department in most organizations today – instead of an independent oversight group such as Audit or Compliance, says John Linkous, compliance expert at eIQnetworks, says. “This really begs the question, ‘who’s watching the watchers?’,” says Linkous.

So how pervasively are the crooks converting Hannaford’s missing mag stripe data into cold, hard cash? This excerpt from Chapter 16 of ZDT summarizes how 19-year-old Irving Escobar played a key role turning TJX data into cash, as the final link in a chain of highly-organized cells:

Under the cell structure of the Florida gift card ring, Escobar had no need to know anything about the skilled counterfeiters adept at using commercial embossers and printers and graphics software to turn the blank front sides of magnetic striped cards into works of art: counterfeit credit cards slick enough to fool most sales clerks. Those master forgers, in turn, had no need to know anything about the cells controlling the ebb and flow of the stolen account data. Neither the street scammers, nor the forgers, nor the hackers who broke into TJX’s data base had any reason to be knowledgeable about the deep-pocketed crime lords who likely funded the TJX hack and skimmed the cream ofthe profits.


In August 2007 Turkish police picked off what they believed to be a key cell leader with the arrest of Maksym Yastremskiy, a Ukrainian, at a nightclub in the resort city of Kemer. A police official described Yastremskiy as “one of the world’s important and well-known computer pirates,” according to Turkish news agency Anatolia,


Greg Crabb, an investigator for the U.S. Postal Inspection Service, told Boston Globe reporter Ross Kerber that Yastremskiy was likely the largest seller of stolen TJX account numbers. Crabb said Yastremskiy allegedly sold stolen TJX data through online carding forums hosted overseas. Prices ranged from $20 to $100 per stolen account number, depending on credit limits and other variables, and buys were made in batches of up to 10,000 numbers.


Irving Escobar had no reason to know, or care, where the account numbers on the mag stripes of the faked Visa cards he used came from. Whether Yastremskiy supplied El Flaco was meaningless. All that mattered to The Venezuelan was that by focusing on his cell’s tasks, he was able to earn enough cash in a matter of months to tool around Miami in a black 2006 Dodge Charger. The Florida Attorney General’s office and the Florida Department of Law Enforcement concurred that Escobar’s role was limited to risky grunt work that nevertheless represented an essential final step of a well-funded, tightly-run organized crime operation.

Bookmark and Share
Category: Uncategorized

Comments

3 Comments »

  1. [...] The Retail Industry Leaders Association’s Current Crime Trends Survey found retailers across the nation experiencing a 76% increased in “financial fraud,” much higher than the 61% increase in robberies and 53% increase in burglaries. No doubt part if not most of the spike in fraud was Internet-enabled, ala the Hannaford Brothers grocery store chain data heist. [...]

    Pingback by Zero Day Threat » Cyber Katrina is upon us — 12/17/2008 @ 1:12 pm

  2. [...] with PCI  standards underscores questions about the efficacy of the PCI rules. Afterall, Hannaford Brothers grocery chain, likewise, met PCI rules, but had 300 store hacked for 4.3 million [...]

    Pingback by Zero Day Threat » Lack of transparency on Heartland breach — 1/21/2009 @ 10:10 pm

  3. [...] be secure.” One need only look at some of the recent major data breaches such as Heartland and Hannaford and others to see that this is not true. Again, you need to go beyond mere compliance to achieve [...]

    Pingback by Will a £500,000 Fine Help Drive Better Data Security? | Complete Source — 4/2/2010 @ 7:23 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment

Search Last Watchdog

Navigate Last Watchdog